-----BEGIN PGP SIGNED MESSAGE-----
Title: Buffer Overrun in Microsoft Data Access Components Could
Lead to Code Execution (Q329414)
Date: 20 November, 2002
Microsoft Data Access Components (MDAC) 2.1 Microsoft Data Access Components (MDAC) 2.5 Microsoft Data Access Components (MDAC) 2.6 Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Impact: Run code of attacker?s choice Max Risk: Critical Bulletin: MS02-065
Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/security/security_bulletins/ms02-065.asp http://www.microsoft.com/technet/security/bulletin/MS02-065.asp.
Microsoft Data Access Components (MDAC) is a collection of components used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems:
MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. One of the MDAC components, known as Remote Data Services(RDS), provides functionality that support three-tiered Architectures ? that is, architectures in which a client?s requests for service from a back-end database are intermediated through a web site that applies business logic to them. A security vulnerability is present in the RDS implementation, specifically, in a function called the RDS Data Stub, whose purpose it is to parse incoming HTTP requests and generate RDS commands.
The vulnerability results because of an unchecked buffer in the Data Stub. By sending a specially malformed HTTP request to the Data Stub, an attacker could cause data of his or her choice to overrun onto the heap. Although heap overruns are typically more difficult to exploit than the more-common stack overrun, Microsoft has confirmed that in this case it would be possible to exploit the vulnerability to run code of the attacker?s choice on the user?s system.
Both web servers and web clients are at risk from the vulnerability:
Clearly, this vulnerability is very serious, and Microsoft recommends that all customers whose systems could be affected by them take app- ropriate action immediately. Web server administrators should either install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7, which is not affected by the vulnerability. Web client users should install the patch immediately on any system that is used for web browsing. It is important to stress that the latter guidance applies to any system used for web browsing, regardless of any other protective measures that have already been taken. For instance, a web server on which RDS had been disabled would still need the patch if it was occasionally used as a web client.
Web Servers - - Web servers that are using MDAC version 2.7 (the version that shipped with Windows XP) or later are not affected by the vulner- ability. - - Even if a vulnerable version of MDAC were installed, a web server would only be at risk if RDS were enabled. RDS is disabled by default on clean installations of Windows XP and Windows 2000, and can be disabled on other systems by following the guidance in the IIS Security Checklist. In addition, the IIS Lockdown Tool will automatically disable RDS when used in its default configuration. - - If the URLScan tool were deployed with its default ruleset (which allows only ASCII data to be present in an HTTP request), it is likely that the vulnerability could only be used for denial of service attacks. - - IIS can be configured to run with fewer than administrative priv- ileges. If this has been done, it would likewise limit the privileges that an attacker could gain through the vulnerability. - - IP address restrictions, if applied to the RDS virtual directory, could enable the administrator to restrict access to only trusted users. This is, however, not practical for most web server scenarios.
Web clients - - The HTML mail-based attack vector could not be exploited auto- matically on systems where Outlook 98 or Outlook 2000 were used in conjunction with the Outlook Email Security Update, or Outlook Express 6 or Outlook 2002 were used in their default configurations. - - Exploiting the vulnerability would convey to the attacker only the user?s privileges on the system. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE----- Version: PGP 7.1
iQEVAwUBPdvJ8I0ZSRQxA/UrAQER+wgAj6UQfMzv8Ydv4ZuZVuQS0CHiVQ+r8Ykm kDZ/EQhmDo7/j+SXVqGjvycrZCGFET5guGbrGzc7z4bQFAQMs2YxbOxhDYirCxQ6 9zsRDuUkmztjY7VB+oeWBIgaENcFPfv0v9XOMN8pArr1PziHaKOeZ+pYkoFvM83t IegB6sRw6dc8UfvC0j5eyCnW+YXrRgWjAq3KCn+TW7dVgGSCONUXtwXPxzEivk21 zcNu8pOWY7z49zOLJKJlad78XiraUvhUNj1IGM0J5/XhRHsVe1MI3+V8Btsx0EGo XwwHx8Zua0l4n/XMufIr5Zr0jhNH9KO2jABDvDCEw3ofGeYo/mJgZw== =CYOd -----END PGP SIGNATURE-----
You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line.
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.