Article ID: 326573 - Last Review: March 29, 2007 - Revision: 7.5

MS02-040: Security Update for Microsoft Data Access Components

View products that this article applies to.
This article was previously published under Q326573
Notice

Replacement of MS02-040

This security release has been replaced by Microsoft Security Bulletin MS03-033:
http://www.microsoft.com/technet/security/bulletin/MS03-033.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-033.mspx)
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
823718  (http://support.microsoft.com/kb/823718/ ) MS03-033: Security Update for Microsoft Data Access Components
Note To see downloads for Microsoft Security Bulletin MS03-033, see the "Download Information" section of this article.

On This Page

Expand all | Collapse all

SUMMARY

After the release of this bulletin, it was determined that the vulnerability that is addressed is not with the OpenRowSet command. The OpenRowSet command is a Microsoft SQL Server command. Instead, the vulnerability is with the underlying MDAC component Open Database Connectivity (ODBC). OBDC is present in all versions of Windows. Additionally, the original security patch that released with this did not install correctly on some systems because of a flaw in the way that Microsoft Windows Installer updated the Windows File Protection cache. The bulletin has been updated to include this additional information, and to direct users to an updated security patch.

Microsoft Data Access Components (MDAC) is a collection of components that is used to provide database connectivity on Microsoft Windows operating systems. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems.

By default, MDAC is included as part of Microsoft Windows XP, Microsoft Windows 2000, and Microsoft Windows Millennium Edition (Me). A number of other products and technologies also include or install MDAC. For example, the Microsoft Windows NT 4.0 Option Pack and Microsoft SQL Server 2000 both include MDAC, and some MDAC components are present as part of Microsoft Internet Explorer even if MDAC itself is not installed. MDAC is also available as a stand-alone technology. To download MDAC, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/data/aa937695.aspx (http://msdn2.microsoft.com/en-us/data/aa937695.aspx)


MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. Specifically, it is the MDAC component known as Open Database Connectivity (ODBC) that provides this functionality.

A security vulnerability results because one of the ODBC functions in MDAC that is used to connect to data sources contains an unchecked buffer. An attacker can seek to exploit the vulnerability by constructing a Web page that, when visited by the user, can execute code of the attacker's choice with the credentials of the user. The Web page can be hosted on a Web site or sent directly to the user in an e-mail message.

In the case of a system that is running SQL Server, an attacker can seek to exploit this vulnerability by using the Transact-SQL OpenRowSet command. An attacker who submits a database query that contains a specially-malformed parameter in a call to OpenRowSet might overrun the buffer, either to cause the computer that is running SQL Server to fail, or to cause the computer that is running SQL Server to take actions that are dictated by the attacker.

The mitigating factors are as follows:
  • Users who read e-mail messages as plain text must take an action before an attacker can exploit the vulnerability.
  • Systems that are configured to disable active scripting in Internet Explorer are not affected by this vulnerability.
  • In the Web-based attack scenario, a user must visit a malicious Web site that is under the control of an attacker. An attacker cannot force users to visit a malicious Web site outside the HTML e-mail vector. Instead, an attacker must lure users to the Web site, typically by getting the user to click a link that takes them to the Web site of the attacker.
  • The credentials that are gained through a successful attack would be equal to those of the application under which ODBC is running. Most of the time, an attacker gains only the same level of credentials that the user logged in with.
  • By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the Restricted Sites Zone. Additionally, Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that tried to exploit this vulnerability unless the user clicked a malicious link in the e-mail.
Back to the top

MORE INFORMATION

Download information

Note The following links reflect the new security patch, MS03-033. The following file is available for download from the Microsoft Download Center:
Collapse this imageExpand this image
Download
Download the Microsoft Data Access Components (MDAC) Security Patch MS03-033 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=9107ABC6-8995-4A99-B6A0-478B3A847E9C&displaylang=en) Release Date: 20 August 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/ ) How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

You must be running one of the following versions of MDAC:
  • MDAC 2.5
  • MDAC 2.6
  • MDAC 2.7
Other versions of MDAC, including MDAC 2.8, are not affected by this vulnerability.

Note These updates apply to all applicable languages.

Installation options

You must restart your computer after you apply this update. This update supports the following Setup switches: 
Switch            Description
-------------------------------------------------------------------------
/?                Displays the list of installation switches
/Q                Quiet mode
/T:<full path>    Specifies the temporary working folder
/C                Extract files only to the folder when it is used with /T
/C:<Cmd>          Override Install Command that author defines
/N                No restart dialog box

For example, the following command-line command installs the update without any user intervention and suppresses a restart:

Q823718_MDAC_SecurityPatch /C:"dahotfix.exe /q /n" /q

The /q switch that is specified for dahotfix.exe is for a silent install and the /n switch suppresses a restart.

Warning Your computer is vulnerable until you restart it.

Restart requirement

You must restart your computer after you apply this update.

Removal information

This security patch cannot be removed after it has been installed.

Security patch replacement information

This security patch has been replaced with the security patch that is provided in Microsoft Security Bulletin MS03-033. For more information about Microsoft Security Bulletin MS03-033, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-033.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-033.mspx)
For additional information about Microsoft Security Bulletin MS03-033, click the following article number to view the article in the Microsoft Knowledge Base:
823718  (http://support.microsoft.com/kb/823718/ ) MS03-033: Security Update for Microsoft Data Access Components

File information

The English version of this security patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

MDAC 2.5 Service Pack 2

   	Date         Time   Version            Size    File name
   --------------------------------------------------------------
   23-Jul-2003  20:56  3.520.6100.40     212,992  Odbc32.dll       
   21-Jul-2003  22:24  3.70.11.40         24,848  Odbcbcp.dll      
   23-Jul-2003  02:29  3.520.6100.40     102,672  Odbccp32.dll     
   21-Jul-2003  22:24  3.70.11.40        524,560  Sqlsrv32.dll

MDAC 2.5 Service Pack 3

   	Date         Time   Version            Size    File name
   --------------------------------------------------------------
   24-Jul-2003  00:13  3.520.6300.40     212,992  Odbc32.dll       
   21-Jul-2003  22:24  3.70.11.40         24,848  Odbcbcp.dll      
   24-Jul-2003  00:11  3.520.6300.40     102,672  Odbccp32.dll     
   21-Jul-2003  22:24  3.70.11.40        524,560  Sqlsrv32.dll

MDAC 2.6 Service Pack 2

   	Date         Time   Version            Size    File name
   --------------------------------------------------------------
   21-Jul-2003  17:28  2000.80.746.0      86,588  Dbnetlib.dll     
   22-Jul-2003  22:04  3.520.7501.40     217,360  Odbc32.dll       
   21-Jul-2003  17:28  2000.80.746.0      29,252  Odbcbcp.dll      
   22-Jul-2003  22:04  3.520.7501.40     102,672  Odbccp32.dll     
   31-Jul-2003  23:07  2000.80.746.0     479,800  Sqloledb.dll     
   21-Jul-2003  17:28  2000.80.746.0     455,236  Sqlsrv32.dll

MDAC 2.7 RTM

   	Date         Time   Version            Size    File name
   --------------------------------------------------------------
   31-Jul-2003  17:49  2000.81.9001.40    61,440  Dbnetlib.dll     
   22-Jul-2003  23:04  3.520.9001.40     204,800  Odbc32.dll       
   22-Jul-2003  23:10  2000.81.9001.40    24,576  Odbcbcp.dll      
   22-Jul-2003  23:10  3.520.9001.40      94,208  Odbccp32.dll     
   31-Jul-2003  17:49  2000.81.9001.40   450,560  Sqloledb.dll     
   22-Jul-2003  23:08  2000.81.9001.40   356,352  Sqlsrv32.dll

MDAC 2.7 Service Pack 1

   	Date         Time   Version            Size    File name
   --------------------------------------------------------------
   22-Jul-2003  18:27  2000.81.9041.40    61,440  Dbnetlib.dll     
   22-Jul-2003  18:22  3.520.9041.40     204,800  Odbc32.dll       
   22-Jul-2003  18:28  2000.81.9041.40    24,576  Odbcbcp.dll      
   22-Jul-2003  18:28  3.520.9041.40      98,304  Odbccp32.dll     
   31-Jul-2003  18:47  2000.81.9041.40   471,040  Sqloledb.dll     
   22-Jul-2003  18:27  2000.81.9041.40   385,024  Sqlsrv32.dll

Verification

Make sure that you have the correct versions of the files that are listed in this article.
Back to the top

REFERENCES

For additional information about Microsoft Security Bulletin MS02-040, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-040.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-040.mspx)
Back to the top
APPLIES TO
  • Microsoft Data Access Components 2.5
  • Microsoft Data Access Components 2.6
  • Microsoft Data Access Components 2.7
Back to the top
Keywords: 
kbhotfixserver kbqfe kbbug kbfix kbqfe kbsecbulletin kbsechack kbsecurity kbsecvulnerability KB326573
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations