Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: n-016.txt

Buffer Overrun in Microsoft Data Access Components MDAC (CIAC N-016)


                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

           Buffer Overrun in Microsoft Data Access Components (MDAC)
                     [Microsoft Security Bulletin MS02-065]

November 21, 2002 00:00 GMT                                       Number N-016
PROBLEM:       There is a buffer overrun vulnerability in Microsoft Data 
               Access Components (MDAC) Data Stub that affects web servers and 
PLATFORM:      * All Windows systems that run MDAC versions prior to 2.7 
	       * Microsoft Internet Explorer 5.01 
	       * Microsoft Internet Explorer 5.5 
	       * Microsoft Internet Explorer 6.0 
DAMAGE:        It is possible by exploiting this vulnerability an attacker can 
               run code of choice on a user's system, up to and including 
               administrator privileges. 
SOLUTION:      Apply patches or workarounds as described in Microsoft's 
VULNERABILITY  The risk is HIGH. MDAC is commonly is included by default in 
ASSESSMENT:    many versions of Windows. A remote user can gain administrator 

[***** Start Microsoft Security Bulletin MS02-065 *****]
Microsoft Security Bulletin MS02-065  

Buffer Overrun in Microsoft Data Access Components Could Lead to 
Code Execution (Q329414)
Originally posted: November 20, 2002

Who should read this bulletin: Customers using Microsoft® Windows®, particularly 
those who operate web sites or browse the Internet. 

Impact of vulnerability: Run code of attacker’s choice 

Maximum Severity Rating: Critical 

Recommendation: Users should apply the patch immediately. 

Affected Software: 

* Microsoft Data Access Components (MDAC) 2.1 
* Microsoft Data Access Components (MDAC) 2.5 
* Microsoft Data Access Components (MDAC) 2.6 
* Microsoft Internet Explorer 5.01 
* Microsoft Internet Explorer 5.5 
* Microsoft Internet Explorer 6.0 
Note: The vulnerability does not affect Windows XP, despite the fact that it uses 
Internet Explorer 6.0. Windows XP customers do not need to take any action. 

End User Bulletin: An end user version of this bulletin is available at: 

 Technical details
Technical description: 

Microsoft Data Access Components (MDAC) is a collection of components used to 
provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, 
and it is likely to be present on most Windows systems: 

* It is included by default as part of Windows XP, Windows 2000, and Windows Millennium. 
* It is available for download as a stand-alone technology in its own right 
* It is either included in or installed by a number of other products and technologies. 
For instance, MDAC is included in the Windows NT® 4.0 Option Pack, and some MDAC 
components are present as part of Internet Explorer even if MDAC itself is not installed. 

MDAC provides the underlying functionality for a number of database operations, such as 
connecting to remote databases and returning data to a client. One of the MDAC components, 
known as Remote Data Services (RDS), provides functionality that support three-tiered 
architectures – that is, architectures in which a client’s requests for service from 
a back-end database are intermediated through a web site that applies business logic 
to them. A security vulnerability is present in the RDS implementation, specifically, 
in a function called the RDS Data Stub, whose purpose it is to parse incoming HTTP 
requests and generate RDS commands. 

A security vulnerability resulting from an unchecked buffer in the Data Stub affects 
versions of MDAC prior to version 2.7 (the version that shipped with Windows XP). 
By sending a specially malformed HTTP request to the Data Stub, an attacker could 
cause data of his or her choice to overrun onto the heap. Although heap overruns are 
typically more difficult to exploit than the more-common stack overrun, Microsoft has 
confirmed that in this case it would be possible to exploit the vulnerability to run 
code of the attacker’s choice on the user’s system. 

Both web servers and web clients are at risk from the vulnerability: 

* Web servers are at risk if a vulnerable version of MDAC is installed and running on 
the server. To exploit the vulnerability against such a web server, an attacker would 
need to establish a connection with the server and then send a specially malformed HTTP 
request to it, that would have the effect of overrunning the buffer with the attacker’s 
chosen data. The code would run in the security context of the IIS service (which, by 
default, runs in the LocalSystem context) 
* Web clients are at risk in almost every case, as the RDS Data Stub is included with 
all current versions of Internet Explorer and there is no option to disable it. To 
exploit the vulnerability against a client, an attacker would need to host a web page 
that, when opened, would send an HTTP reply to the user's system and overrun the buffer 
with the attacker's chosen data. The web page could be hosted on a web site or sent 
directly to users as an HTML Mail. The code would run in the security context of the 

Clearly, this vulnerability is very serious, and Microsoft recommends that all 
customers whose systems could be affected by them take appropriate action immediately. 

* Customers using Windows XP, or who have installed MDAC 2.7 on their systems are at no 
risk and do not need to take any action. 
* Web server administrators who are running an affected version of MDAC should either 
install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7, which is not 
affected by the vulnerability. 
* Web client users who are running an affected version of MDAC should install the 
patch immediately on any system that is used for web browsing. It is important to 
stress that the latter guidance applies to any system used for web browsing, 
regardless of any other protective measures that have already been taken. For instance, 
a web server on which RDS had been disabled would still need the patch if it was 
occasionally used as a web client. 

Before deploying the patch, customers should familiarize themselves with the caveats 
discussed in the FAQ and in the Caveats section below. 

Mitigating factors: 

Web Servers 

* Web servers that are using MDAC version 2.7 (the version that shipped with Windows XP) 
or later are not aat risk from the vulnerability. 
* Even if a vulnerable version of MDAC were installed, a web server would only be at 
risk if RDS were enabled. RDS is disabled by default on clean installations of Windows 
XP and Windows 2000, and can be disabled on other systems by following the guidance in 
the IIS Security Checklist. In addition, the IIS Lockdown Tool will automatically 
disable RDS when used in its default configuration. 
* If the URLScan tool were deployed with its default ruleset (which allows only ASCII 
data to be present in an HTTP request), it is likely that the vulnerability could 
only be used for denial of service attacks. 
* IIS can be configured to run with fewer than administrative privileges. If this has 
been done, it would likewise limit the privileges that an attacker could gain through 
the vulnerability. 
* IP address restrictions, if applied to the RDS virtual directory, could enable the 
administrator to restrict access to only trusted users. This is, however, not practical 
for most web server scenarios. 

Web clients 

* Web clients that are using MDAC version 2.7 (the version that shipped with Windows XP) 
or later are not at risk from the vulnerability. 
* The HTML mail-based attack vector could not be exploited automatically on systems 
where Outlook 98 or Outlook 2000 were used in conjunction with the Outlook Email 
Security Update, or Outlook Express 6 or Outlook 2002 were used in their default 
* Exploiting the vulnerability would convey to the attacker only the user’s privileges 
on the system. Users whose accounts are configured to have few privileges on the system 
would be at less risk than ones who operate with administrative privileges. 

Severity Rating:   
MDAC 2.1 		Critical 
MDAC 2.5 		Critical 
MDAC 2.6 		Critical 
MDAC 2.7 		Not affected 
Internet Explorer 5.01 	Critical 
Internet Explorer 5.5 	Critical 
Internet Explorer 6.0 	Critical 
The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. This vulnerability is rated critical because an attacker could 
take over an IIS server or an Internet Explorer client and run code. Any IIS server 
with MDAC and all Internet Explorer clients should apply the patch immediately. 

Vulnerability identifier: CAN-2002-1142 

Tested Versions:
Microsoft tested MDAC 2.1, 2.5, 2.6 and 2.7 to assess whether they are affected by 
the server-side vulnerability. In addition, Microsoft also tested Internet Explorer 
5.01, 5.5 and 6.0 to assess whether they are affected by the client-side vulnerability. 
Previous versions are no longer supported, and may or may not be affected by these 

Patch availability
Download locations for this patch 
The following patch can be installed on all affected platforms: 

 Additional information about this patch
Installation platforms: 
The patch can be installed on the following systems: 

* Windows 98 Gold. 
* Windows 98SE Gold 
* Windows Me Gold 
* Windows NT4 Service Pack 6a 
* Windows 2000 Service Pack 2 or Service Pack 3 

Inclusion in future service packs:

* The fix for this issue will be included in the next service pack for MDAC 2.5. There 
will be no more service packs for MDAC 2.1 and MDAC 2.6. 
* The fix will also be included in Internet Explorer 5.01 Service Pack 4 and Internet 
Explorer 6.0 Service Pack 2. 

Reboot needed: 

* Web servers: We recommend rebooting the server after installing the patch. 
* Web client: It is not necessary to reboot after installing the patch. 

Patch can be uninstalled: No. 

Superseded patches: None. 

Verifying patch installation: 

* Microsoft Knowledge Base article Q329414 provides a file manifest that can be used to 
verify the patch installation. 


* As discussed in the FAQ, the patch does not set the Kill Bit on the affected ActiveX 
* If, after applying the patch, an MDAC service pack that predates the patch is installed, 
the effect is to remove the patch. Moreover, because the patch files would still be on the 
system, Windows Update would not be able to detect that the patch files were not in use, 
and would not offer to reinstall the patch. Instead, the user would need to reinstall the 
patch manually after installing the service pack. 

An example would be a users who have already patched their MDAC 2.5 machines. Then if they 
apply MDAC 2.5 Service Pack 2 over the already patched MDAC 2.5 machines, it's possible 
that there would be a regression, making it necessary for the users to reinstall this patch. 

Localized versions of this patch are available at the locations discussed in "Patch 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Microsoft thanks Foundstone Research Labs for reporting this issue to us and working 
with us to protect customers. 


* Microsoft Knowledge Base article Q329414 discusses this issue. Knowledge Base 
articles can be found on the Microsoft Online Support web site. 
* Technical support is available from Microsoft Product Support Services. There is no 
charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In 
no event shall Microsoft Corporation or its suppliers be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. 


* V1.0 (November 20, 2002): Bulletin Created.

[***** End Microsoft Security Bulletin MS02-065 *****]


CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:
   Anonymous FTP:

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-007: Microsoft Outlook Express Unchecked Buffer in S/MIME Vulnerability
N-008: Microsoft Elevation of Privilege in SQL Server Web Tasks
N-009: MIT krb5  Buffer Overflow in kadmind4
CIACTech03-001: Spamming using the Windows Messenger Service
N-010: Web-Based Enterprise Management on Solaris 8 Installs Insecure Files 
N-011: Cumulative Patch for Internet Information Service
N-012: Windows 2000 Default Permissions Could Allow Trojan Horse Program
N-013: ISC Remote Vulnerabilities in BIND4 and BIND8
N-014: Trojan Horse tcpdump and libpcap Distributions
N-015: SGI IRIX lpd Daemon Vulnerabilities via sendmail and dns

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH