The vulnerability does not affect Microsoft Windows XP, although Windows XP uses Microsoft Internet Explorer 6.0. Windows XP customers do not have to take any action. By default, Windows XP installs Microsoft Data Access Components (MDAC) 2.7. MDAC 2.7 is not affected.
MDAC is a collection of components that provide database connectivity on Windows operating sytems. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems, including the following:
- MDAC is included by default as part of Windows XP, Windows 2000, and Windows Millennium.
- MDAC is available for download as a stand-alone technology.
- MDAC is either included in or installed by a number of other products and technologies.
- MDAC is included in the Microsoft Windows NT 4.0 Option Pack.
- Some MDAC components are included in Internet Explorer, even if MDAC itself is not installed.
MDAC provides the underlying functionality for a number of database operations, including the ability to connect to remote databases and to return data to a client. The MDAC component Remote Data Services (RDS) provides functionality that supports three-tiered architectures. In three-tiered architectures, a client requests service from a back-end database, and then these requests are intermediated through a Web site that applies business logic.
A security vulnerability is present in the RDS implementation. This vulnerability exists in the RDS data stub. The data stub parses incoming HTTP requests, and then generates RDS commands. A security vulnerability that is caused by an unchecked buffer in the data stub affects versions of MDAC earlier than version 2.7 (the version that was included with Windows XP). If an attacker sends a specially malformed HTTP request to the data stub, data of his or her choice can overrun onto the heap. Heap overruns are typically more difficult to exploit than the more common stack overrun. However, Microsoft has confirmed that in this scenario it is possible to exploit the vulnerability to run the code choice of the attacker on the system of the user.
Both Web servers and Web clients are at risk from the vulnerability.
- Web servers are at risk if a vulnerable version of MDAC is installed and running on the server. To exploit the vulnerability against such a Web server, an attacker must establish a connection with the server, and then send a specially malformed HTTP request to it. This action would overrun the buffer with the chosen data of the attacker. The code would run in the security context of the IIS service. By default, the IIS service runs in the LocalSystem context.
- Web clients are at risk in almost every scenario. The RDS data stub is included with all the current versions of Internet Explorer, and there is no option to disable it. To exploit the vulnerability against a client, an attacker must host a Web page that sends an HTTP reply to the system of the user when it is opened, and then overruns the buffer with the chosen data of the attacker. This Web page may be hosted on a Web site or sent directly to users as an HTML mail. The code runs in the security context of the user.
This vulnerability is very serious, and Microsoft recommends that all customers whose systems can be affected take appropriate action immediately. To take action, do the following:
- Customers who use Windows XP or who installed MDAC 2.7 on their systems are at no risk and do not have to take any action.
- Web server administrators who run an affected version of MDAC must install the security patch, disable RDS access through IIS, or upgrade to MDAC 2.7.
- Web client users who run an affected version of MDAC must install the security patch immediately on any system that accommodates Web browsing, regardless of any other protective measures. For example, a Web server on which RDS is disabled must have the security patch if the Web server is occasionally used as a Web client.
- If this security patch is installed on a Window 2000 SP3 server, SUS (Software Update Service) stops functioning correctly. To work around this problem, and to maintain SUS functionality, and also correct the buffer overrun vulnerability, upgrade to MDAC 2.7
Service Pack Information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain the Latest Windows 2000 Service Pack
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin
to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.
To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site: Note
In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The following file is available for download from the Microsoft Download Center:
Release Date: November 20, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
This security patch can be installed on Windows 98, Windows 98 Second Edition, Windows Millennium Edition (ME), Windows NT 4.0 Service Pack 6a (SP6a), Windows 2000 SP2, or Windows 2000 SP3. For additional information about Windows 2000 and Windows NT 4.0 service packs, click the following article numbers to view the articles in the Microsoft Knowledge Base:
How to Obtain the Latest Windows 2000 Service Pack
How to Obtain the Latest Windows NT 4.0 Service Pack
Restart your Web server after you apply the security patch. You do not have to restart your Web client. This update supports the following Setup switches:
- /?: Displays the list of installation switches.
- /Q: Quiet mode.
- /T:<full path>: Specifies the temporary working folder.
- /C: Extracts files only to the folder when it is used with /T.
- /C:<Cmd>: Overrides install command defined by the author.
- /N: No restart dialog box.
The following command-line command installs the update without any user intervention:
q329414_mdacall_x86 /C:"dahotfix.exe /q /n" /q:aWarning
Your computer may be vulnerable until you restart it.
The English version of this has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time tool in Control Panel.Note
The following installation file names are appended with an MDAC version. The files that are installed appear in the msadc folder without the appended MDAC version in the file name.
Date Time Version Size File name -------------------------------------------------------- 21-Sep-2002 00:36 2.53.6202.0 856,768 Msadce25.dll 09-Oct-2002 21:16 2.12.5118.0 135,440 Msadco21.dll 21-Sep-2002 00:36 2.53.6202.0 430,080 Msadco25.dll 25-Sep-2002 18:47 2.62.9119.1 147,728 Msadco26.dll 09-Oct-2002 21:16 2.12.5118.0 49,936 Msadcs21.dll 21-Sep-2002 00:36 2.53.6202.0 135,168 Msadcs25.dll 25-Sep-2002 18:47 2.62.9119.1 57,616 Msadcs26.dll 21-Sep-2002 00:36 2.53.6202.0 615,655 Msdaprst25.dll
For MDAC 2.6, the following files are copied to the Program Files\Common Files\System\msadc folder:
Date Time Version Size File name ---------------------------------------------------- 25-Sep-2002 18:47 2.62.9119.1 147,728 Msadco.dll 25-Sep-2002 18:47 2.62.9119.1 57,616 Msadcs.dll
For MDAC 2.5, the following files are copied to the Program Files\Common Files\System\msadc folder:
Date Time Version Size File name ------------------------------------------------------ 21-Sep-2002 00:36 2.53.6202.0 856,768 Msadce.dll 21-Sep-2002 00:36 2.53.6202.0 430,080 Msadco.dll 21-Sep-2002 00:36 2.53.6202.0 135,168 Msadcs.dll 21-Sep-2002 00:36 2.53.6202.0 615,655 Msdaprst.dll
For MDAC 2.1, the following files are copied to the Program Files\Common Files\System\msadc folder:
Date Time Version Size File name ---------------------------------------------------- 09-Oct-2002 21:16 2.12.5118.0 135,440 Msadco.dll 09-Oct-2002 21:16 2.12.5118.0 49,936 Msadcs.dllNote
Because of file dependencies, this update may contain additional files.
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.