MinorRev: Microsoft Security Bulletin MS04-003 - Buffer Overrun in MDAC Function Could Allow Code Execution (832483)

• Previous message: Russ: "MinorRev: Microsoft Security Bulletin MS04-002 - Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 2 Feb 2004 13:46:44 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Reason for Revision:
V1.1 January 30, 2004: Updated the IPSEC policy in the Workarounds
section, updated the command line install string under the Deployment
Information section.

Microsoft Security Bulletin MS04-003:
Buffer Overrun in MDAC Function Could Allow Code Execution (832483)

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS04-003.asp

Summary:
 Version Number: V1.1
 Revision Date: 01-30-2004
 Impact of Vulnerability: Remote code execution
 Maximum Severity Rating: Important
 Patch(es) Replaced: This update replaces the one that is provided in
Microsoft Security Bulletin MS03-033.
 Caveats: None
 CVE Number(s): CAN-2003-0903

Tested Software:
 Affected Software:
 * Microsoft Data Access Components 2.5 (included with Microsoft Windows
2000)
 * Microsoft Data Access Components 2.6 (included with Microsoft SQL
Server 2000)
 * Microsoft Data Access Components 2.7 (included with Microsoft Windows
XP)
 * Microsoft Data Access Components 2.8 (included with Microsoft Windows
Server 2003)

Note The same update applies to all these versions of MDAC
<http://www.ntbugtraq.com/link/39472EE8-C14A-47B4-BFCC-87988E062D91.asp>
 * Microsoft Data Access Components 2.8 (included with Windows Server
2003 64-Bit Edition)
<http://www.ntbugtraq.com/link/1D93D9E4-2B22-4595-B8C5-643824857EC0.asp>

 Software Not Affected:

This email is sent to NTBugtraq automagically as a service to my
subscribers. (v2.3)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
-----

• Previous message: Russ: "MinorRev: Microsoft Security Bulletin MS04-002 - Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: DDE mailmerge between Word and Excel ... The only thing I can think of is the MDAC (Microsoft Data Access Components) ... Excel 2003 database using DDE. ... (microsoft.public.word.docmanagement) Re: Problem mit ODBC Connection von W2k3 aud W2k3 SQL 2k5 ... Microsoft Data Access Components 2.8 contains core Data Access ... This redistributable installer for the MDAC 2.8 release installs the same ... (microsoft.public.de.sqlserver) Alert: Microsoft Security Bulletin MS04-003 - Buffer Overrun in MDAC Function Could Allow Code Execu ... Microsoft Security Bulletin MS04-003: ... * Microsoft Data Access Components 2.5 (included with Microsoft Windows ... Note The same update applies to all these versions of MDAC ... (NT-Bugtraq) Re: Mail merge & Publisher ... See if updating your MDAC components and Jet helps ... Microsoft Data Access Components 2.8 SP1 ... file that is a Microsoft Excel comma seperated value file or a Microsoft ... (microsoft.public.publisher) Critical Microsoft Security Bulletin - MS04-004 ... - Microsoft Windows NTŪ Workstation 4.0 Service Pack 6a ... - Internet Explorer 6 for Windows Server 2003 ... IMPACT OF VULNERABILITY: Remote Code Execution ... (microsoft.public.windows.mediacenter)