ISS prtoection Brief: Microsoft MDAC Remote Code Execution

Type securityvulns
Reporter Securityvulns
Modified 2006-04-12T00:00:00



Internet Security Systems Security Brief April 11, 2006

Microsoft MDAC Remote Code Execution

Microsoft has issued an advisory for a vulnerability in Microsoft Data Access Components. Specifically, the RDS.Dataspace ActiveX control provided with MDAC allows attackers to create malicious web pages and create objects with the security context of the logged in user rather than the Internet Explorer DOM.

Business Impact:

Compromise of the operating system can lead to exposure of confidential information, loss of productivity, and further network compromise. Successful exploitation of this vulnerability could be used to gain unauthorized access to one.s networks and machines.


It is possible to instantiate the RDS.Dataspace ActiveX control and not have it associated with the Internet Explorer DOM. In doing so, it assumes the security context of the currently logged on user and not the DOM. Under this security context, functionality that is typically limited within the DOM is now fully operational. Attackers may leverage this increased privileged security context to execute commands on the target system.

Exploitation of this vulnerability requires the Internet Explorer user to browse to a malicious page. Attackers may attempt to lure users via phishing emails.

For the complete ISS X-Force Security Alert, please visit:

About Internet Security Systems, Inc. Internet Security Systems, Inc. (ISS) is the trusted security advisor to thousands of the world.s leading businesses and governments, providing preemptive protection for networks, desktops and servers. An established leader in security since 1994, ISS. integrated security platform automatically protects against both known and unknown threats, keeping networks up and running and shielding customers from online attacks before they impact business assets. ISS products and services are based on the proactive security intelligence of its X-Force® research and development team . the unequivocal world authority in vulnerability and threat research. ISS. product line is also complemented by comprehensive Managed Security Services. For more information, visit the Internet Security Systems Web site at or call 800-776-2362.

Copyright (c) 2006 Internet Security Systems, Inc. All rights reserved worldwide.

This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and's key server, as well as at Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE----- Version: 2.6.2

iQCVAwUBRDwCCzRfJiV99eG9AQEHxQP+OoGPrgFI+1Sp8svYNW4tdj76pAHc8KoE pfn/OnEAbZyrtzIHrCc3VswbTzk4NxJBlBnEl2zogtmxU5B7uo0h89AW90782/ZY fCto2Tdy8EgNJ8qdYTybpb6peOssFSLQ7OSHlp6QVByWjH5NViVcdjp3RavNgGau KEICRvMAi50= =61AW -----END PGP SIGNATURE-----