Two new Microsoft security bulletins today: MS02-034 is a cumulative patch for SQL Server 2000 which fixes three new vulnerabilities as well as all those from earlier updates. Two of these new holes are buffer overruns that can result in remote system compromise; however, only certain server configurations are at risk. SQL Server 7.0 is not affected.

Bulletin MS02-035 also deals with SQL Server, versions 7 and 2000. If a username and password is supplied to the installation routine of the software or any service pack, it is stored in a file called setup.iss which is not deleted. Newer versions of the server use weak encryption on the password; prior to SQL 7 SP4 it was stored in cleartext. Under most conditions, this file would only be available locally and Microsoft has marked this as a Moderate risk vulnerability.