Some technical details on the update itself are in KB3199641.
The update fixes elevation of privilege on three different components in SQL Server:
- Database Engine (RDBMS); there are three CVE's spread over the different major versions of Database Engine. The documentation speaks of "improperly handles pointer casting" without further details.
- Master Data Services - MDS; There is a cross-site-scripting (XSS) vulnability in the MDS API. This could be in the web application part of the API.
- Analysis Services - SSAS; in this case the vulnability is due to "improperly checks FILESTREAM path.".
- SQL Server Agent; the vulnability lies in "incorrectly check ACLs on atxcore.dll". This file is a part of the SQL Server Agent ActiveX subsystem, which is - finally - removed from SQL Server with the 2016 version.
The update is for SQL Server 2012 and newer. SQL Server 2008 (R2) are not hit by this security issue.
And not a word about SQL Server 2005, 2000 - or older ;-)
History2016-11-09 Post created with initial references.
2016-11-27 Details on SQL Server components added.