SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer MDAC Component Buffer Overflow Allows Remote Users to Execute Arbitrary Code
SecurityTracker Alert ID:  1005672
SecurityTracker URL:  http://securitytracker.com/id/1005672
CVE Reference:   CAN-2002-1142   (Links to External Site)
Date:  Nov 20 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.01, 5.5, 6.0
Description:   A buffer overflow vulnerability was reported in the Microsoft Data Access Components (MDAC) software (which is distributed as part of Internet Explorer) in the Remote Data Services (RDS) implementation. A remote user can cause arbitrary code to be executed on the system.

Microsoft issued an advisory warning that the RDS Data Stub function in MDAC versions prior to 2.7 contains a flaw. A remote user can send a specially crafted HTTP request to the RDS to trigger the overflow and write to the heap, causing arbitrary code to be executed.

On the Internet Explorer (IE) web browser, which includes the RDS Data Stub, a remote user could send a specially crafted HTTP reply in response to the target user's HTTP request to trigger the overflow. The arbitrary code would run with the privileges of the target user.

Microsoft credits Foundstone Research Labs for reporting this issue.

Impact:   A remote user could cause arbitrary code to be run with the privileges of the target user.
Solution:   Microsoft has released a patch, available at:

http://www.microsoft.com/downloads/Release.asp?ReleaseID=44733

This patch can be installed on Windows 98 Gold, Windows 98SE Gold, Windows Me Gold, Windows NT4 SP6a, and Windows 2000 SP2 or SP3

Microsoft plans to include this fix in the next service pack for MDAC 2.5 and in IE 5.01 SP4 and IE 6.0 SP2.

Microsoft warns that a patched system could, under unusual conditions, be rendered vulnerable again. The vendor reports that it is not possible to set the "Kill Bit" used by one of the vulnerable ActiveX components, because many other applications use that component. To counter this, Microsoft indicates that you should configure your system so that you have no trusted publishers, including Microsoft. Then, if malicious HTML content attempts to download an ActiveX control to your system, the system will generate a warning message.

Microsoft has provided the following steps on how to empty the Trusted Publishers list:

1. In Internet Explorer, choose Tools, then Internet Options.
2. Select the Content tab. In the Certificates section of the page, click on Publishers.
3. In the Certificates dialog, click on the Trusted Publishers tab.
4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
5. When you ve removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

Please refer to the Vendor URL for full details.

Microsoft has issued Knowledge Base article Q329414 regarding this issue, available at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329414

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-065.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Me), Windows (NT), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Date:  Wed, 20 Nov 2002 10:11:51 -0800
Subject:  Microsoft Security Bulletin MS02-065: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Buffer Overrun in Microsoft Data Access Components Could 
            Lead to Code Execution (Q329414)
Date:       20 November, 2002
Software:   
            Microsoft Data Access Components (MDAC) 2.1 
            Microsoft Data Access Components (MDAC) 2.5 
            Microsoft Data Access Components (MDAC) 2.6 
            Microsoft Internet Explorer 5.01 
            Microsoft Internet Explorer 5.5 
            Microsoft Internet Explorer 6.0
Impact:     Run code of attacker?s choice
Max Risk:   Critical
Bulletin:   MS02-065

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/security/security_bulletins/ms02-065.asp
http://www.microsoft.com/technet/security/bulletin/MS02-065.asp.
- ----------------------------------------------------------------------

Issue:
======
Microsoft Data Access Components (MDAC) is a collection of components
used to provide database connectivity on Windows platforms. MDAC is 
a ubiquitous technology, and it is likely to be present on most 
Windows systems: 


- - It is included by default as part of Windows XP, Windows 2000, and
  Windows Millennium. 
- - It is available for download as a stand-alone technology in its 
  own right.
- - It is either included in or installed by a number of other products
  and technologies. For instance, MDAC is included in the Windows NT 
  4.0 Option Pack, and some MDAC components are present as part of 
  Internet Explorer even if MDAC itself is not installed. 

MDAC provides the underlying functionality for a number of database 
operations, such as connecting to remote databases and returning data
to a client. One of the MDAC components, known as Remote Data 
Services(RDS), provides functionality that support three-tiered 
Architectures ? that is, architectures in which a client?s requests
for service from a back-end database are intermediated through a web
site that applies business logic to them. A security vulnerability 
is present in the RDS implementation, specifically, in a function 
called the RDS Data Stub, whose purpose it is to parse incoming 
HTTP requests and generate RDS commands. 

The vulnerability results because of an unchecked buffer in the Data 
Stub. By sending a specially malformed HTTP request to the Data Stub,
an attacker could cause data of his or her choice to overrun onto the
heap. Although heap overruns are typically more difficult to exploit
than the more-common stack overrun, Microsoft has confirmed that in 
this case it would be possible to exploit the vulnerability to run 
code of the attacker?s choice on the user?s system. 

Both web servers and web clients are at risk from the vulnerability: 
- ----------------------------------------------------------------------
- - Web servers are at risk if a vulnerable version of MDAC is
installed 
  and running on the server. To exploit the vulnerability against
such
  a web server, an attacker would need to establish a connection with
  the server and then send a specially malformed HTTP request to it,
  that would have the effect of overrunning the buffer with the 
  attacker?s chosen data. The code would run in the security context
  of the IIS service (which, by default, runs in the LocalSystem
  context) 
- - Web clients are at risk in almost every case, as the RDS Data Stub
  is included with all current versions of Internet Explorer and 
  there is no option to disable it. To exploit the vulnerability
  against a client, an attacker would need to host a web page that,
  when opened, would send an HTTP reply to the user's system and
  overrun the buffer with the attacker's chosen data. The web page
  could be hosted on a web site or sent directly to users as an HTML
  Mail. The code would run in the security context of the user.

Clearly, this vulnerability is very serious, and Microsoft recommends
that all customers whose systems could be affected by them take app-
ropriate action immediately. Web server administrators should either
install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7,
which is not affected by the vulnerability. Web client users should
install the patch immediately on any system that is used for web
browsing. It is important to stress that the latter guidance applies
to any system used for web browsing, regardless of any other 
protective measures that have already been taken. For instance, a 
web server on which RDS had been disabled would still need the patch
if it was occasionally used as a web client.

Mitigating Factors:
====================
Web Servers 
- - Web servers that are using MDAC version 2.7 (the version that 
  shipped with Windows XP) or later are not affected by the vulner-
  ability. 
- - Even if a vulnerable version of MDAC were installed, a web server 
  would only be at risk if RDS were enabled. RDS is disabled by
default
  on clean installations of Windows XP and Windows 2000, and can be 
  disabled on other systems by following the guidance in the IIS 
  Security Checklist. In addition, the IIS Lockdown Tool will 
  automatically disable RDS when used in its default configuration. 
- - If the URLScan tool were deployed with its default ruleset (which 
  allows only ASCII data to be present in an HTTP request), it is 
  likely that the vulnerability could only be used for denial of 
  service attacks. 
- - IIS can be configured to run with fewer than administrative priv-
  ileges. If this has been done, it would likewise limit the
privileges
  that an attacker could gain through the vulnerability. 
- - IP address restrictions, if applied to the RDS virtual directory, 
  could enable the administrator to restrict access to only trusted 
  users. This is, however, not practical for most web server
scenarios.

Web clients 
- - The HTML mail-based attack vector could not be exploited auto-
  matically on systems where Outlook 98 or Outlook 2000 were used
  in conjunction with the Outlook Email Security Update, or Outlook
  Express 6 or Outlook 2002 were used in their default
configurations. 
- - Exploiting the vulnerability would convey to the attacker only the 
  user?s privileges on the system. Users whose accounts are
configured
  to have few privileges on the system would be at less risk than 
  ones who operate with administrative privileges.

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-065.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks  Foundstone Research Labs 
   (http://www.foundstone.com/) for reporting this issue to us 
   and  working with us to protect customers.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPdvJ8I0ZSRQxA/UrAQER+wgAj6UQfMzv8Ydv4ZuZVuQS0CHiVQ+r8Ykm
kDZ/EQhmDo7/j+SXVqGjvycrZCGFET5guGbrGzc7z4bQFAQMs2YxbOxhDYirCxQ6
9zsRDuUkmztjY7VB+oeWBIgaENcFPfv0v9XOMN8pArr1PziHaKOeZ+pYkoFvM83t
IegB6sRw6dc8UfvC0j5eyCnW+YXrRgWjAq3KCn+TW7dVgGSCONUXtwXPxzEivk21
zcNu8pOWY7z49zOLJKJlad78XiraUvhUNj1IGM0J5/XhRHsVe1MI3+V8Btsx0EGo
XwwHx8Zua0l4n/XMufIr5Zr0jhNH9KO2jABDvDCEw3ofGeYo/mJgZw==
=CYOd
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC