CVE-2008-0107

Name of the Vulnerable Software and Affected Versions SQL Server versions 7.0 SP4 through 2005 SP2 Microsoft Data Engine (MSDE) version 1.0 SP4 Internal Database (WYukon) version SP2 2000 Desktop Engine (MSDE 2000) version SP4 2005 Express Edition versions SP1 through SP2

Description The issue allows remote authenticated users to execute arbitrary code, potentially leading to elevation of privilege, where an attacker could run code and take complete control of the system. This is achieved via a crafted record size value in a pathname for an on-disk file, which triggers a heap-based buffer overflow.

Recommendations For SQL Server versions 7.0 SP4 through 2005 SP2, consider restricting access to the SQL Server until a patch is available. For Microsoft Data Engine (MSDE) version 1.0 SP4, restrict access to the database engine to minimize the risk of exploitation. For Internal Database (WYukon) version SP2, avoid using the vulnerable database functions until the issue is resolved. For 2000 Desktop Engine (MSDE 2000) version SP4 and 2005 Express Edition versions SP1 through SP2, consider disabling the WebDAV and SMB pathways to prevent exploitation.