(MS15-058) Vulnerabilities in SQL Server Could Allow Remote Code Execution (3065718)

  Severity: HIGH
  CVE Identifier: CVE-2015-1761
  Advisory Date: AUG 14, 2015

  DESCRIPTION

This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to execute a virtual function from a wrong address, leading to a function call to uninitialized memory. To exploit this vulnerability an attacker would need permissions to create or modify a database.

  SOLUTION

  AFFECTED SOFTWARE AND VERSION

  • Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3
  • Microsoft SQL Server 2008 for 32-bit Systems Service Pack 4
  • Microsoft SQL Server 2008 for x64-based Systems Service Pack 4
  • Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 2
  • Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 2
  • Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 2
  • Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 3
  • Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 3
  • Microsoft SQL Server 2012 for 32-bit Systems Service Pack 1
  • Microsoft SQL Server 2014 for x64-based Systems
  • Microsoft SQL Server 2008 for x64-based Systems Service Pack 3
  • Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 3
  • Microsoft SQL Server 2012 for x64-based Systems Service Pack 1
  • Microsoft SQL Server 2012 for 32-bit Systems Service Pack 2
  • Microsoft SQL Server 2012 for x64-based Systems Service Pack 2
  • Microsoft SQL Server 2014 for 32-bit Systems