MS fixes tool flaw; another appears in SQL Server

A security alert was issued by Microsoft Corp. Tuesday to select customers and developers over a vulnerability in its File Transfer Manager (FTM) program that could allow an attacker to take over vulnerable systems.

The flaw can be found in the program which Microsoft offers to its developers and volume-license customers, according to an e-mail the Redmond, Wash., company sent to a select group of FTM users. Microsoft said it believes that only a small number of its customers are affected by the flaw, although it didn’t provide a ballpark number for how many might be affected.

Though the company only provided basic details about the existence of the flaw, a separate security alert released last week by Ukrainian security researcher Andrew Tereschenko, who was thanked in Microsoft’s alert, provided more information. The vulnerabilities are both the result of flaws in ActiveX controls included in versions released before File Transfer Manager 4.0, which came out in June, he said in his alert.

The first hole, which can be exploited via a buffer overflow, could allow virtually any Web site to install an ActiveX control on a user’s computer, he said. The second vulnerability exploits a man-in-the-middle attack, in which the attacker intercepts traffic between a host and the target PC to download or upload any file from or to an affected PC, he said.

Tereschenko disputed Microsoft’s claim that only a small number of customers are affected by the flaw.

To repair the flaw, Microsoft urged users of File Transfer Manager to upgrade their software to version 4.0. The new version of the software is available at

Separately, security research firm Next Generation Security Software Ltd. said Monday that it had discovered a vulnerability in Microsoft’s SQL Server 7 and 2000 that could allow a user with low access privileges to overwrite files in the database.

The vulnerability exists in the SQL Server agent, a helper component used to restart the database service on SQL Server if it stops, NGSoftware said. Because the agent can accept jobs from low-privileged users by default, an attacker could create a specially crafted query that can, in some cases, cause the agent to overwrite files on the server, the group said.

NGSSoftware said that it had notified Microsoft of the problem in July but that the software company had not yet released a patch.

SQL Server should be configured to disallow low privileged users access to the job procedures in order to prevent the problem, NGSSoftware said.

Representatives from Microsoft Canada were not immediately available for comment

The alert and more information on the work-around can be found at

– With files from IDG News Service