Microsoft Security Bulletin MS00-035
Patch Available for 'SQL Server 7.0 Service Pack Password' Vulnerability
Originally posted: May 30, 2000
Updated: June 15, 2000
Updated: May 10, 2001
On May 30, 2000, Microsoft released the original version of this bulletin, to announce the availability of a patch that eliminates a security vulnerability in Microsoft® SQL Server® 7.0 Service Packs 1 and 2 installation routine. When run on a machine that is configured in a non-recommended mode, the routines record the administrator password in a log file, where it could be read by any user who could log onto the server at the keyboard.
On June 15, 2000, the bulletin was updated to note that, under the same conditions as originally reported, the password also is recorded in a second file. A new version of the patch is available that prevents the password from being recorded in either file.
On May 10, 2001, the bulletin was updated to note that Service Pack 3 is also affected by this vulnerability. A new patch is available for SP3 and we are also providing a command line utility (post Service Pack deployment) to remove all instances of the SA password written in either file via Q263968.
- Microsoft SQL Server 7.0 Service Packs 1, 2, and 3
Vulnerability Identifier: CVE-2000-0402
Microsoft thanks the following customers for working with us to protect customers:
- Gordon Newman of PeopleSoft for reporting the presence of the password in sqlsp.log
- Akintunde Oluwaleimu for reporting the presence of the password in setup.iss
Support: This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support .
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- May 30, 2000: Bulletin Created.
- June 15, 2000: Bulletin updated to discuss password presence in setup.iss.
- May 10, 2001: Bulletin updated to provide a patch for SP3 and tool for SA password removal.