Microsoft Fixes 'Critical' Flaw in MDAC
In rare strong language, Microsoft warns that the MDAC buffer overrun flaw 'is very serious' and urged the immediate application of patches.
A day after saying it would limit the issuing of 'critical' bulletins, Microsoft issued its 65th warning this year for the MDAC flaw, which results because of an unchecked buffer in the Data Stub.
"By sending a specially malformed HTTP request to the Remote Access Data Stub, an attacker could cause data of his or her choice to overrun onto the heap. Although heap overruns are typically more difficult to exploit than the more-common stack overrun, Microsoft has confirmed that in this case it would be possible to exploit the vulnerability to run code of the attacker's choice on the user's system," the company warned.
The advisory, which was cross-posted for non-technical end users, said the vulnerability affected MDAC versions 2.1 through 2.6 and Internet Explorer versions 5.01, 5.5 and 6.0. WindowsXP systems are not affected.
"This vulnerability is very serious and Microsoft recommends that all customers whose systems could be affected by them take appropriate action immediately," the company warned, noting that both Web servers and Web clients were at risk.
Web server administrators should immediately install the patch (download here) and disable MDAC and/or RDS. Alternative, system admins should upgrade to MDAC 2.7, which is not affected by the flaw.
In strong language, Microsoft stressed that the fixes apply to any system used for web browsing, regardless of any other protective measures that have already been taken. "For instance, a web server on which RDS had been disabled would still need the patch if it was occasionally used as a web client," the company said.
The vulnerability, which was detected by Foundstone Research Labs is exploited on a Web server if an attacker establishes a connection with the server and then send a specially malformed HTTP request to it. The HTTP request would overrun the buffer with the attacker's chosen data. "The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context)," the company explained.
It said Web clients "are at risk in almost every case" because the RDS Data Stub is included with all current versions of Internet Explorer and there is no option to disable it.
To exploit the flaw against a client, an attacker would need to host a Web page that, when opened, send an HTTP reply to the user's system and overrun the buffer with the attacker's chosen data. The Web page could be hosted on a Web site or sent directly to users as an HTML, Microsoft added.
The affected MDAC provides the underlying functionality for database operations, like connecting to remote databases and returning data to a client.