Allaire Security Bulletin (ASB00-17)
                  Microsoft: Patch Updated for "DTS Password" Vulnerability

                  Originally Posted: July 17, 2000
                  Last Updated: July 17, 2000 

                  Summary

                  Microsoft has released an updated patch that eliminates a security vulnerability in
                  Microsoft(r) SQL Server 7.0. The vulnerability could allow a malicious user to
                  compromise passwords. The updated patch also addresses a related problem with the
                  Enterprise Manager Server registration dialog. This is not a problem with ColdFusion
                  Server itself, but it is an issue that can affect ColdFusion users. Allaire recommends that
                  customers follow the instructions posted on the Microsoft Web site to address this issue.

                  Issue

                  This issue is clearly explained in the Microsoft Security Bulletin:

                       Data Transformation Service (DTS) packages in SQL Server 7.0 allow database
                       administrators to create a package that will perform a particular database
                       action at regular intervals. As part of the creation of a DTS package, the
                       administrator provides the account name and password under which the action
                       should be taken. However, the password can be retrieved by programmatically
                       interrogating the package's Properties dialogue.

                       We have also found this vulnerability within the Registered Servers Dialog
                       under Enterprise Manager.

                       The vulnerability could only occur if several best practices have not been
                       followed:

                        - The creator of the DTS package chose to supply a username and password
                       instead of using Windows Authentication.
                        - The DTS package was created without restricting who can edit it.
                        - The SQL Server administrator allowed Guest access to the SQL Server MSDB
                       database.
                        - A SQL Server is registered under Enterprise Manager using a username and
                       password instead of using Windows Authentication. 

                  Affected Software Versions

                       Microsoft SQL Server 7.0 

                  What Allaire is Doing

                  This is not an Allaire product. We are recommending that customers reference the
                  information at Microsoft's site to address this issue.

                  What Customers Should Do

                  There is a patch available to correct this problem. It is detailed in the following
                  Microsoft Security Bulletin (MS00-041):

                  https://www.microsoft.com/technet/security/bulletin/ms00-041.asp

                  Please note: this issue and patch may not be required for all users. Allaire
                  customers should review all material in the Microsoft Security Bulletin and
                  related documents carefully before applying the patch. As always, customers
                  should test patch changes in a testing environment before modifying
                  production servers.

                  Revisions
                  July 17, 2000 -- Bulletin first created.

                  Reporting Security Issues 
                  Allaire is committed to addressing security issues and providing customers with the
                  information on how they can protect themselves. If you identify what you believe may
                  be a security issue with an Allaire product, please send an email to secure@allaire.com.
                  We will work to appropriately address and communicate the issue. 

                  Receiving Security Bulletins 
                  When Allaire becomes aware of a security issue that we believe significantly affects
                  our products or customers, we will notify customers when appropriate. Typically this
                  notification will be in the form of a security bulletin explaining the issue and the
                  response. Allaire customers who would like to receive notification of new security
                  bulletins when they are released can sign up for our security notification service. 

                  For additional information on security issues at Allaire, please visit the Security Zone at:
                  https://www.allaire.com/security

                  THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY
                  KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
                  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR
                  ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
                  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS
                  SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE
                  EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
                  LIMITATION MAY NOT APPLY. 

                  Allaire reserves the right, from time to time, to update the information in this document
                  with current information.