Microsoft's End User Bulletin notes that the following versions must be updated:
- Windows NT 4.0, Windows 98, Windows Me, Windows 2000
- Microsoft Data Access Components (MDAC) 2.1, 2.5, 2.6
- Internet Explorer 5.01, 5.5, 6.0
Microsoft noted a security vulnerability (Foundstone discovered the vulnerability - mirrored here) in the RDS (Remote Data Services) implementation, specifically, in a function called the RDS Data Stub, whose purpose it is to parse incoming HTTP requests and generate RDS commands. This security issue can be exploited by sending a specially malformed HTTP request to the Data Stub, which could cause arbitrary data to overrun onto the heap. This can result in running arbitrary code on the vulnerable system.
Vulnerability risk factor
- Web servers are at risk if a vulnerable version of MDAC is installed and running on the server. To exploit the vulnerability against such a web server, an attacker would need to establish a connection with the server and then send a specially malformed HTTP request to it, that would have the effect of overrunning the buffer with the attacker's chosen data. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context)
- Web clients are at risk in almost every case, as the RDS Data Stub is included with all current versions of Internet Explorer and there is no option to disable it. To exploit the vulnerability against a client, an attacker would need to host a web page that, when opened, would send an HTTP reply to the user's system and overrun the buffer with the attacker's chosen data. The web page could be hosted on a web site or sent directly to users as an HTML Mail. The code would run in the security context of the user.
Patches and mitigation information can be read from Microsoft's Bulletin announcing this vulnerability - Microsoft Security Bulletin MS02-065