Alert: Microsoft Security Bulletin - MS03-033

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 08/20/03

  • Next message: Russ: "Revised: Microsoft Security Bulletin - MS02-040"
    Date:         Wed, 20 Aug 2003 14:33:40 -0400

    Unchecked Buffer in MDAC Function Could Enable System Compromise (823718)

    Originally posted: August 20, 2003


    Who should read this bulletin: Customers using Microsoft® Windows®

    Impact of vulnerability: Run code of the attacker's choice

    Maximum Severity Rating: Important

    Recommendation: Users should apply the security patch to affected systems.

    Affected Software:
    - Microsoft Data Access Components 2.5
    - Microsoft Data Access Components 2.6
    - Microsoft Data Access Components 2.7
    Not Affected Software:
    - Microsoft Data Access Components 2.8

    An End User version of the bulletin is available at:

    Technical description:

    Microsoft Data Access Components (MDAC) is a collection of components that are used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems:
    - By default, MDAC is included by default as part of Microsoft Windows XP, Windows 2000, Windows Millennium Edition, and Windows Server 2003. (It is worth noting, though, that the version that is installed by Windows Server 2003 does not have this vulnerability).
    - MDAC is available for download as a stand-alone technology.
    - MDAC is either included in or installed by a number of other products and technologies. For example, MDAC is included in the Microsoft Windows NT® 4.0 Option Pack and in Microsoft SQL Server 2000. Additionally, some MDAC components are present as part of Microsoft Internet Explorer even when MDAC itself is not installed. MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Due to a flaw in a specific MDAC component, an attacker could respond to this request with a specially crafted packet that could cause a buffer overflow.

    An attacker who successfully exploited this flaw could gain the same level of privileges over the system as the application that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions which the application using MDAC ran under. If the application ran with limited privileges, an attacker would be limited accordingly; however, if the application ran under the local system context, the attacker would have the same level of permissions. This could include creating, modifying, or deleting data on the system, or reconfiguring the system. This could also include reformatting the hard disk or running programs of the attacker's choice.

    This bulletin supercedes the patch discussed in MS02-040. Customers should install this patch as it contains both the fix for the vulnerability discussed in bulletin MS02-040 and the patch discussed in this bulletin.

    Mitigating factors:
    - For an attack to be successful an attacker would need to simulate a SQL server on the same subnet as the target system.
    - Code executed on the client system would only run under the privileges of the client application that made the broadcast request.
    - MDAC version 2.8 (which is the version included with Windows Server 2003) does not contain the flaw that is addressed by this bulletin.

    Vulnerability identifier: CAN-2003-0353

    This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)

    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to


  • Next message: Russ: "Revised: Microsoft Security Bulletin - MS02-040"