CVE-2008-0085

Name of the Vulnerable Software and Affected Versions SQL Server versions 7.0 SP4, 2000 SP4, 2005 SP1 and SP2 SQL Server 2000 Desktop Engine (MSDE 2000) version SP4 SQL Server 2005 Express Edition versions SP1 and SP2 Microsoft Data Engine (MSDE) version 1.0 SP4

Description An information disclosure issue exists due to improper memory page initialization when reallocating memory. This allows database operators to obtain sensitive information, such as database contents, via unknown vectors related to memory page reuse. An attacker with database operator access could exploit this to access customer data.

Recommendations For SQL Server versions 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, update to a version that properly initializes memory pages. For SQL Server 2000 Desktop Engine (MSDE 2000) version SP4, update to a version that properly initializes memory pages. For SQL Server 2005 Express Edition versions SP1 and SP2, update to a version that properly initializes memory pages. For Microsoft Data Engine (MSDE) version 1.0 SP4, update to a version that properly initializes memory pages. As a temporary workaround, consider restricting access to sensitive database contents until a patch is available.