A SQL Server security bulletin (MS15-058) was released yesterday (14-Jul-2015).
“This update resolves vulnerabilities in Microsoft SQL Server that could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to execute a virtual function from a wrong address. This leads to a function call to uninitialized memory.“
It applies to:
- SQL Server 2008
- SQL Server 2008 R2
- SQL Server 2012
- SQL Server 2014
If you feel confused about what version is affected, please read the blog post by Aaron Bertrand (an useful matrix here).
The KB is the #3065718, more details here.
Stay Tuned! 🙂