Critical Microsoft Vulnerability Announced
by Berislav Kucan - Thursday, 21 November 2002.
In the 65th Security Bulletin this year, Microsoft announced a critical vulnerability in Microsoft Data Access Components, a collection of components used to provide database connectivity on Windows platforms.

Microsoft's End User Bulletin notes that the following versions must be updated:
  • Windows NT 4.0, Windows 98, Windows Me, Windows 2000
  • Microsoft Data Access Components (MDAC) 2.1, 2.5, 2.6
  • Internet Explorer 5.01, 5.5, 6.0
MDAC is included as a default in Windows ME, Windows XP (the vulnerability does not affect Windows XP, despite the fact that it uses Internet Explorer 6.0) and Windows 2000. Also it is either included or installed in various other technologies and products - for example some components of MDAC are included in Internet Explorer and Windows NT 4.0 option pack.

Microsoft noted a security vulnerability (Foundstone discovered the vulnerability - mirrored here) in the RDS (Remote Data Services) implementation, specifically, in a function called the RDS Data Stub, whose purpose it is to parse incoming HTTP requests and generate RDS commands. This security issue can be exploited by sending a specially malformed HTTP request to the Data Stub, which could cause arbitrary data to overrun onto the heap. This can result in running arbitrary code on the vulnerable system.

Vulnerability risk factor

  • Web servers are at risk if a vulnerable version of MDAC is installed and running on the server. To exploit the vulnerability against such a web server, an attacker would need to establish a connection with the server and then send a specially malformed HTTP request to it, that would have the effect of overrunning the buffer with the attacker's chosen data. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context)
  • Web clients are at risk in almost every case, as the RDS Data Stub is included with all current versions of Internet Explorer and there is no option to disable it. To exploit the vulnerability against a client, an attacker would need to host a web page that, when opened, would send an HTTP reply to the user's system and overrun the buffer with the attacker's chosen data. The web page could be hosted on a web site or sent directly to users as an HTML Mail. The code would run in the security context of the user.

Patches and mitigation information can be read from Microsoft's Bulletin announcing this vulnerability - Microsoft Security Bulletin MS02-065


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th