Microsoft SQL Server and Desktop Engine contain a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to the SQL Server Resolution Service not properly sanitizing remote user input. If an attacker sends a specially crafted request (first byte set to 0x04 followed by a large string) they may be able to execute arbitrary code with the privileges of the SQL server.
Classification
Location:
Remote / Network Access
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Solution:
Patch / RCS
Exploit:
Exploit Public
Disclosure:
Vendor Verified
Solution
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.