-----BEGIN PGP SIGNED MESSAGE-----
Title: Buffer Overrun in Microsoft Data Access Components Could
Lead to Code Execution (Q329414)
Date: 20 November, 2002
Software:
Microsoft Data Access Components (MDAC) 2.1
Microsoft Data Access Components (MDAC) 2.5
Microsoft Data Access Components (MDAC) 2.6
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Impact: Run code of attacker?s choice
Max Risk: Critical
Bulletin: MS02-065
Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/security/security_bulletins/ms02-065.asp
http://www.microsoft.com/technet/security/bulletin/MS02-065.asp.
Microsoft Data Access Components (MDAC) is a collection of components
used to provide database connectivity on Windows platforms. MDAC is
a ubiquitous technology, and it is likely to be present on most
Windows systems:
MDAC provides the underlying functionality for a number of database
operations, such as connecting to remote databases and returning data
to a client. One of the MDAC components, known as Remote Data
Services(RDS), provides functionality that support three-tiered
Architectures ? that is, architectures in which a client?s requests
for service from a back-end database are intermediated through a web
site that applies business logic to them. A security vulnerability
is present in the RDS implementation, specifically, in a function
called the RDS Data Stub, whose purpose it is to parse incoming
HTTP requests and generate RDS commands.
The vulnerability results because of an unchecked buffer in the Data
Stub. By sending a specially malformed HTTP request to the Data Stub,
an attacker could cause data of his or her choice to overrun onto the
heap. Although heap overruns are typically more difficult to exploit
than the more-common stack overrun, Microsoft has confirmed that in
this case it would be possible to exploit the vulnerability to run
code of the attacker?s choice on the user?s system.
Both web servers and web clients are at risk from the vulnerability:
Clearly, this vulnerability is very serious, and Microsoft recommends
that all customers whose systems could be affected by them take app-
ropriate action immediately. Web server administrators should either
install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7,
which is not affected by the vulnerability. Web client users should
install the patch immediately on any system that is used for web
browsing. It is important to stress that the latter guidance applies
to any system used for web browsing, regardless of any other
protective measures that have already been taken. For instance, a
web server on which RDS had been disabled would still need the patch
if it was occasionally used as a web client.
Web Servers
Web clients
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPdvJ8I0ZSRQxA/UrAQER+wgAj6UQfMzv8Ydv4ZuZVuQS0CHiVQ+r8Ykm
kDZ/EQhmDo7/j+SXVqGjvycrZCGFET5guGbrGzc7z4bQFAQMs2YxbOxhDYirCxQ6
9zsRDuUkmztjY7VB+oeWBIgaENcFPfv0v9XOMN8pArr1PziHaKOeZ+pYkoFvM83t
IegB6sRw6dc8UfvC0j5eyCnW+YXrRgWjAq3KCn+TW7dVgGSCONUXtwXPxzEivk21
zcNu8pOWY7z49zOLJKJlad78XiraUvhUNj1IGM0J5/XhRHsVe1MI3+V8Btsx0EGo
XwwHx8Zua0l4n/XMufIr5Zr0jhNH9KO2jABDvDCEw3ofGeYo/mJgZw==
=CYOd
-----END PGP SIGNATURE-----
You have received this e-mail bulletin because of your subscription to the Microsoft
Product Security Notification Service. For more information on this service, please visit
http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at
http://www.microsoft.com/technet/security/notify.asp.
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft
Profile Center at http://register.microsoft.com/regsys/pic.asp
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft
Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
For security-related information about Microsoft products, please visit the Microsoft
Security Advisor web site at http://www.microsoft.com/security.