[GECOS] Fwd: Microsoft Security Bulletin MS02-065: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) (fwd)

Bill Murray bmurray at snf.stanford.edu
Thu Nov 21 11:01:17 PST 2002


John and Mike,

Since my Windows machine at home was hacked recently, I've been careful
to keep it patched.  I periodically patch the OS, run virus scan, and
defrag the disks.  Although some of these items can be automated, I prefer
to run them manually for a number of reasons.  This last patch is critical.
I suspect that most of our staff desktops are at risk.  Just to let you
know, this took about an hour of my time to do on my machine.

Bill

---------- Forwarded message ----------
Date: Wed, 20 Nov 2002 12:44:33 -0800
From: Joe Little <jlittle at open-it.org>
To: gecos at island.stanford.edu
Subject: [GECOS] Fwd: Microsoft Security Bulletin MS02-065: Buffer Overrun in
    Microsoft Data Access Components Could Lead to Code Execution (Q329414)

Something to patch on W2K/XP/WinME.. pretty important as it is marked  
critical.


Begin forwarded message:

> Resent-From: mssec at kigi.mailshell.com
> From: "Microsoft"  
> <0_41279_1F68B851-2F7D-EB41-A6C3- 
> CAB5E6906B6F_US.at.Newsletters.Microsoft.com at mssec.at.kigi.mailshell.co 
> m>
> Date: Wed Nov 20, 2002  10:46:18 AM US/Pacific
> Resent-To: jlittle at open-it.org
> To: "mssec at kigi.mailshell.com" <mssec at kigi.mailshell.com>
> Subject: Microsoft Security Bulletin MS02-065: Buffer Overrun in  
> Microsoft Data Access Components Could Lead to Code Execution > (Q329414)
> Reply-To:  
> "3_41279_1F68B851-2F7D-EB41-A6C3- 
> CAB5E6906B6F_US at Newsletters.Microsoft.com"  
> <3_41279_1F68B851-2F7D-EB41-A6C3- 
> CAB5E6906B6F_US.at.Newsletters.Microsoft.com at mssec.at.kigi.mailshell.co 
> m>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> -  
> ----------------------------------------------------------------------
> Title:      Buffer Overrun in Microsoft Data Access Components Could
>             Lead to Code Execution (Q329414)
> Date:       20 November, 2002
> Software:
>             Microsoft Data Access Components (MDAC) 2.1
>             Microsoft Data Access Components (MDAC) 2.5
>             Microsoft Data Access Components (MDAC) 2.6
>             Microsoft Internet Explorer 5.01
>             Microsoft Internet Explorer 5.5
>             Microsoft Internet Explorer 6.0
> Impact:     Run code of attacker?s choice
> Max Risk:   Critical
> Bulletin:   MS02-065
>
> Microsoft encourages customers to review the Security Bulletins at:
> http://rd.mailshell.com/www.microsoft.com/security/security_bulletins/ 
> ms02-065.asp
> http://rd.mailshell.com/www.microsoft.com/technet/security/bulletin/ 
> MS02-065.asp.
> -  
> ----------------------------------------------------------------------
>
> Issue:
> ======
> Microsoft Data Access Components (MDAC) is a collection of components
> used to provide database connectivity on Windows platforms. MDAC is
> a ubiquitous technology, and it is likely to be present on most
> Windows systems:
>
>
> - - It is included by default as part of Windows XP, Windows 2000, and
>   Windows Millennium.
> - - It is available for download as a stand-alone technology in its
>   own right.
> - - It is either included in or installed by a number of other products
>   and technologies. For instance, MDAC is included in the Windows NT
>   4.0 Option Pack, and some MDAC components are present as part of
>   Internet Explorer even if MDAC itself is not installed.
>
> MDAC provides the underlying functionality for a number of database
> operations, such as connecting to remote databases and returning data
> to a client. One of the MDAC components, known as Remote Data
> Services(RDS), provides functionality that support three-tiered
> Architectures ? that is, architectures in which a client?s requests
> for service from a back-end database are intermediated through a web
> site that applies business logic to them. A security vulnerability
> is present in the RDS implementation, specifically, in a function
> called the RDS Data Stub, whose purpose it is to parse incoming
> HTTP requests and generate RDS commands.
>
> The vulnerability results because of an unchecked buffer in the Data
> Stub. By sending a specially malformed HTTP request to the Data Stub,
> an attacker could cause data of his or her choice to overrun onto the
> heap. Although heap overruns are typically more difficult to exploit
> than the more-common stack overrun, Microsoft has confirmed that in
> this case it would be possible to exploit the vulnerability to run
> code of the attacker?s choice on the user?s system.
>
> Both web servers and web clients are at risk from the vulnerability:
> -  
> ----------------------------------------------------------------------
> - - Web servers are at risk if a vulnerable version of MDAC is
> installed
>   and running on the server. To exploit the vulnerability against
> such
>   a web server, an attacker would need to establish a connection with
>   the server and then send a specially malformed HTTP request to it,
>   that would have the effect of overrunning the buffer with the
>   attacker?s chosen data. The code would run in the security context
>   of the IIS service (which, by default, runs in the LocalSystem
>   context)
> - - Web clients are at risk in almost every case, as the RDS Data Stub
>   is included with all current versions of Internet Explorer and
>   there is no option to disable it. To exploit the vulnerability
>   against a client, an attacker would need to host a web page that,
>   when opened, would send an HTTP reply to the user's system and
>   overrun the buffer with the attacker's chosen data. The web page
>   could be hosted on a web site or sent directly to users as an HTML
>   Mail. The code would run in the security context of the user.
>
> Clearly, this vulnerability is very serious, and Microsoft recommends
> that all customers whose systems could be affected by them take app-
> ropriate action immediately. Web server administrators should either
> install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7,
> which is not affected by the vulnerability. Web client users should
> install the patch immediately on any system that is used for web
> browsing. It is important to stress that the latter guidance applies
> to any system used for web browsing, regardless of any other
> protective measures that have already been taken. For instance, a
> web server on which RDS had been disabled would still need the patch
> if it was occasionally used as a web client.
>
> Mitigating Factors:
> ====================
> Web Servers
> - - Web servers that are using MDAC version 2.7 (the version that
>   shipped with Windows XP) or later are not affected by the vulner-
>   ability.
> - - Even if a vulnerable version of MDAC were installed, a web server
>   would only be at risk if RDS were enabled. RDS is disabled by
> default
>   on clean installations of Windows XP and Windows 2000, and can be
>   disabled on other systems by following the guidance in the IIS
>   Security Checklist. In addition, the IIS Lockdown Tool will
>   automatically disable RDS when used in its default configuration.
> - - If the URLScan tool were deployed with its default ruleset (which
>   allows only ASCII data to be present in an HTTP request), it is
>   likely that the vulnerability could only be used for denial of
>   service attacks.
> - - IIS can be configured to run with fewer than administrative priv-
>   ileges. If this has been done, it would likewise limit the
> privileges
>   that an attacker could gain through the vulnerability.
> - - IP address restrictions, if applied to the RDS virtual directory,
>   could enable the administrator to restrict access to only trusted
>   users. This is, however, not practical for most web server
> scenarios.
>
> Web clients
> - - The HTML mail-based attack vector could not be exploited auto-
>   matically on systems where Outlook 98 or Outlook 2000 were used
>   in conjunction with the Outlook Email Security Update, or Outlook
>   Express 6 or Outlook 2002 were used in their default
> configurations.
> - - Exploiting the vulnerability would convey to the attacker only the
>   user?s privileges on the system. Users whose accounts are
> configured
>   to have few privileges on the system would be at less risk than
>   ones who operate with administrative privileges.
>
> Risk Rating:
> ============
>  - Internet systems: Critical
>  - Intranet systems: Critical
>  - Client systems: Critical
>
> Patch Availability:
> ===================
>  - A patch is available to fix this vulnerability. Please read the
>    Security Bulletin at
>     
> http://rd.mailshell.com/www.microsoft.com/technet/security/bulletin/ 
> ms02-065.asp
>    for information on obtaining this patch.
>
> Acknowledgment:
> ===============
>  - Microsoft thanks  Foundstone Research Labs
>    (http://rd.mailshell.com/www.foundstone.com/) for reporting this  
> issue to us
>    and  working with us to protect customers.
>
> - ---------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
> PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
> ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
> WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
> IN NO EVENT
> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
> DAMAGES
> WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
> LOSS OF
> BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
> ITS
> SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
> STATES DO
> NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
> OR
> INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQEVAwUBPdvJ8I0ZSRQxA/UrAQER+wgAj6UQfMzv8Ydv4ZuZVuQS0CHiVQ+r8Ykm
> kDZ/EQhmDo7/j+SXVqGjvycrZCGFET5guGbrGzc7z4bQFAQMs2YxbOxhDYirCxQ6
> 9zsRDuUkmztjY7VB+oeWBIgaENcFPfv0v9XOMN8pArr1PziHaKOeZ+pYkoFvM83t
> IegB6sRw6dc8UfvC0j5eyCnW+YXrRgWjAq3KCn+TW7dVgGSCONUXtwXPxzEivk21
> zcNu8pOWY7z49zOLJKJlad78XiraUvhUNj1IGM0J5/XhRHsVe1MI3+V8Btsx0EGo
> XwwHx8Zua0l4n/XMufIr5Zr0jhNH9KO2jABDvDCEw3ofGeYo/mJgZw==
> =CYOd
> -----END PGP SIGNATURE-----
>
>
> *******************************************************************
>
> You have received this e-mail bulletin because of your subscription to  
> the Microsoft Product Security Notification Service.  For more  
> information on this service, please visit  
> http://rd.mailshell.com/www.microsoft.com/technet/security/notify.asp.
>
> To verify the digital signature on this bulletin, please download our  
> PGP key at  
> http://rd.mailshell.com/www.microsoft.com/technet/security/notify.asp.
>
> To unsubscribe from the Microsoft Security Notification Service,  
> please visit the Microsoft Profile Center at  
> http://rd.mailshell.com/register.microsoft.com/regsys/pic.asp
>
> If you do not wish to use Microsoft Passport, you can unsubscribe from  
> the Microsoft Security Notification Service via email as described  
> below:
> Reply to this message with the word UNSUBSCRIBE in the Subject line.
>
> For security-related information about Microsoft products, please  
> visit the Microsoft Security Advisor web site at  
> http://rd.mailshell.com/www.microsoft.com/security.
>
>
> ---------- Your email is protected by Mailshell ----------
> To block spam or change delivery options:  
> http://www.mailshell.com/> control.html?a=bmfxunag1_qf4mjs5ggakkoqtkhqt2e
>
> ReturnPath.net http://rd.mailshell.com/ad481
> Earn up to $3 for each of your friends who signs up with Mailshell!  
> http://rd.mailshell.com/sp5

_______________________________________________
GECOS mailing list
GECOS at island.stanford.edu
http://island.stanford.edu/mailman/listinfo/gecos




More information about the computer mailing list