Re: Alert: Microsoft Security Bulletin - MS02-061

From: Bronek Kozicki (brok@RUBIKON.PL)
Date: 10/18/02 

Date:         Fri, 18 Oct 2002 22:46:19 +0200
From: Bronek Kozicki <brok@RUBIKON.PL>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hi

> SecurityHotfix.sql and xpweb70.dll. Using WinDiff, SecurityHotfix.sql
hasn't
> really changed, just it's timestamp has been updated.

Apparently WinDiff does not work the way you think it is (try fc instead).
SecurityHotfix.sql in MS02-061 is little longer and contains REVOKE
statemens at the end on mswebtasks table and related procedures.

> So, if I've installed MS02-056, is the only file I need to update
> xpweb70.dll? If that's the case, there's nothing in the readme.txt that
> leads me to believe that.

You need to:
1. update xpweb70.dll
2. run part of SecurityHotfix.sql file starting with "-- Revoke privileges
on mswebtasks and stored procedures"

That's it ; if xpweb70.dll is not loaded in memory you do not even need to
stop MSSQL service. You can free it with "DBCC xpweb70(free)" statement, so
service restart is anyway unnecessary.

BTW: there's mistake in Q316333 and MS02-061 ; "SELECT @@VERSION" and
"SELECT serverproperty('productversion') " will return the same version
number 679 regardless if you have MS02-056 or MS02-061 installed. One have
to actually check version of xpweb70.dll and permissions on related
procedures&tables.

BTW2: does anybody knows what are MINIMUM required priviledges on sys*
tables in master database for public ? I have strong feeling that some more
REVOKE statemens would not hurt my SQL server.

Regards

B.