Microsoft Security Bulletin MS12-070 - Important
Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849)
This security update resolves a privately reported vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). The vulnerability is a cross-site-scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the SSRS site in the context of the targeted user. An attacker could exploit this vulnerability by sending a specially crafted link to the user and convincing the user to click the link. An attacker could also host a website that contains a webpage designed to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.
This security update is rated Important for Microsoft SQL Server 2000 Reporting Services Service Pack 2 and for systems running SQL Server Reporting Services (SSRS) on Microsoft SQL Server 2005 Service Pack 4, Microsoft SQL Server 2008 Service Pack 2, Microsoft SQL Server 2008 Service Pack 3, Microsoft SQL Server 2008 R2 Service Pack 1, and Microsoft SQL Server 2012. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by correcting the way that SQL Server Report Manager validates input parameters. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
Known Issues. Microsoft Knowledge Base Article 2754849 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Microsoft SQL Server
Depending on your software version or edition, you may need to choose between GDR and QFE software update links below in order to manually install your update from the Microsoft Download Center. For more information on determining which update to install on your system, see the Frequently Asked Questions (FAQ) Related to This Security Update subsection, in this section.
This update is only offered to customers running SQL Server Reporting Services (SSRS).
|Microsoft SQL Server Software|
|Microsoft SQL Server 2000 Service Pack 4|
|Microsoft SQL Server 2000 Itanium Edition Service Pack 4|
|Microsoft SQL Server 2000 Analysis Services Service Pack 4|
|Microsoft SQL Server 2000 Desktop Engine (MSDE) on Microsoft Windows Server 2003 Service Pack 2|
|Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 4|
|Microsoft SQL Server 2005 Express Edition Service Pack 4|
|Microsoft SQL Server Management Studio Express (SSMSE) 2005|
|Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 2|
|Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 2|
|Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 2|
|Microsoft Data Engine (MSDE) 1.0|
|Microsoft Data Engine (MSDE) 1.0 Service Pack 4|
|Microsoft Data Engine 1.0|
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please go to the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
How to obtain help and support for this security update
- Help installing updates: Support for Microsoft Update
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (October 9, 2012): Bulletin published.