Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3780
HistoryNov 22, 2002 - 12:00 a.m.

ISS Security Brief: Microsoft MDAC Remote Compromise Vulnerability

2002-11-2200:00:00
vulners.com
9

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Brief
November 21, 2002

Microsoft MDAC Remote Compromise Vulnerability

Synopsis:

Microsoft has released a security bulletin detailing a vulnerability in
Microsoft MDAC technology. MDAC or Microsoft Data Access Components is a core
component of the Windows operating system and Microsoft IIS (Internet
Information Server). MDAC provides database connectivity to Microsoft clients
and servers. A buffer overflow flaw exists within the RDS (Remote Data
Services) component of MDAC.

Impact:

ISS X-Force defines this issue as "High Risk". Remote attackers can take
advantage of this vulnerability to gain "System" level privileges on
vulnerable IIS installations. However, X-Force believes the scope of the
issue and the estimated number of vulnerable systems has been exaggerated.
While MDAC is enabled by default, RDS features are not accessible on default
Windows 2000 installations running IIS. There are also significant mitigating
factors in place to limit exploitation of this issue by way of email clients
or Web browsers.

Affected Versions

MDAC 2.1
MDAC 2.5
MDAC 2.6

Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0

Note: Windows XP users are not at risk. Windows XP is shipped with MDAC
version 2.7 and it is not affected. Email users of Outlook 98 or Outlook 2000
and the Outlook Email Security Update are not affected. Email users of Outlook
6 or Outlook 2002 are also not affected.

For the complete ISS X-Force Security Alert, please visit:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21521


About Internet Security Systems (ISS) Founded in 1994, Internet Security
Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software
and services that protect critical online resources from an ever-
changing spectrum of threats and misuse. Internet Security Systems is
headquartered in Atlanta, GA, with additional operations throughout the
Americas, Asia, Australia, Europe and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email [email protected] for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPd0veDRfJiV99eG9AQFongP8CWfR76EOh5Yrg5bSU2WiXDOEm6ufOoWf
VJD07ZnnZrO6V16pAXK7mc6S+cbxdkn/MSqsX6VB6gX3gCOm/SrFexCrTYARrwxo
bHwghTyZsob+oYK1Xf/RnqBqGJ4FgKp5hyTVglqpj+PnFt6OiZVKaWD4/8iqR6Fw
R0Jfyg+WoPU=
=VJVU
-----END PGP SIGNATURE-----