Microsoft Fixes ‘Critical’ Flaw in MDAC

Microsoft has tagged a “critical” rating on a security flaw found in Data
Access Components (MDAC) used to provide database connectivity on Windows
platforms, warning that the vulnerability could lead to code execution by an
attacker.

A day after saying it would limit
the issuing of ‘critical’ bulletins, Microsoft issued its 65th warning this
year for the MDAC flaw, which results because of an unchecked buffer in the
Data Stub.

“By sending a specially malformed HTTP request to the Remote Access Data
Stub, an attacker could cause data of his or her choice to overrun onto the
heap. Although heap overruns are typically more difficult to exploit than
the more-common stack overrun, Microsoft has confirmed that in this case it
would be possible to exploit the vulnerability to run code of the attacker’s
choice on the user’s system,” the company warned.

The advisory, which was cross-posted for non-technical end users, said the
vulnerability affected MDAC versions 2.1 through 2.6 and Internet Explorer
versions 5.01, 5.5 and 6.0. WindowsXP systems are not affected.

“This vulnerability is very serious and Microsoft recommends that all
customers whose systems could be affected by them take appropriate action
immediately,” the company warned, noting that both Web servers and Web
clients were at risk.

Web server administrators should immediately install the patch (download here) and disable MDAC and/or RDS. Alternative, system admins
should upgrade to MDAC 2.7, which is not affected by the flaw.

In strong language, Microsoft stressed that the fixes apply to any system
used for web browsing, regardless of any other protective measures that have
already been taken. “For instance, a web server on which RDS had been
disabled would still need the patch if it was occasionally used as a web
client,” the company said.

The vulnerability, which was detected by Foundstone Research Labs is exploited on
a Web server if an attacker establishes a connection with the server and
then send a specially malformed HTTP request to it. The HTTP request would
overrun the buffer with the attacker’s chosen data. “The code would run in
the security context of the IIS service (which, by default, runs in the
LocalSystem context),” the company explained.

It said Web clients “are at risk in almost every case” because the RDS Data
Stub is included with all current versions of Internet Explorer and there is
no option to disable it.

To exploit the flaw against a client, an attacker would need to host a Web
page that, when opened, send an HTTP reply to the user’s system and overrun
the buffer with the attacker’s chosen data. The Web page could be hosted on
a Web site or sent directly to users as an HTML, Microsoft added.

The affected MDAC provides the underlying functionality for database
operations, like connecting to remote databases and returning data to a
client.

Ryan Naraine
Ryan Naraine is an eSecurity Planet, ServerWatch, and eWEEK contributor.

Top Products

Related articles