[NT] Microsoft Data Access Components (MDAC) Function Code Execution (MS06-014)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Data Access Components (MDAC) Function Code Execution (MS06-014)
------------------------------------------------------------------------


SUMMARY

Microsoft Data Access Components (commonly abbreviated MDAC), is a group
of Microsoft technologies that interact together as a framework that
allows programmers a uniform and comprehensive way of developing
applications for accessing almost any data store. It is made up of various
components: ActiveX Data Objects (ADO), OLE DB, and Open Database
Connectivity (ODBC). There have been several deprecated components as
well, such as the Microsoft Jet Database Engine, MSDASQL, and Remote Data
Services (RDS). Some components have also become obsolete, such as the
former Data Access Objects API and Remote Data Objects.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

DETAILS

Affected Software:
* Microsoft Windows XP Service Pack 1 running Microsoft Data Access
Components 2.7 Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2F9E772C-8122-4027-A117-E93227B2C79F> Download the update
* Microsoft Windows XP Service Pack 2 running Microsoft Data Access
Components 2.8 Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2F9E772C-8122-4027-A117-E93227B2C79F> Download the update
* Microsoft Windows XP Professional x64 Edition running Microsoft Data
Access Components 2.8 Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=9C8B645D-0F01-4B79-B6B3-55279BEDB944> Download the update
* Microsoft Windows Server 2003 running Microsoft Data Access Components
2.8 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=39B29ED4-9B95-4593-BCB6-4BB03CA5F8F1> Download the update
* Microsoft Windows Server 2003 Service Pack 1 running Microsoft Data
Access Components 2.8 Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=39B29ED4-9B95-4593-BCB6-4BB03CA5F8F1> Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems running
Microsoft Data Access Components 2.8 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=4D2FE426-E34E-4192-8A0F-35E440E948E2> Download the update
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
running Microsoft Data Access Components 2.8 Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=4D2FE426-E34E-4192-8A0F-35E440E948E2> Download the update
* Microsoft Windows Server 2003 x64 Edition running Microsoft Data Access
Components 2.8 Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E237C2C7-9819-437B-AB70-298BA62AC285> Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

Affected Components:
* Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.5
Service Pack 3 installed -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1B3E6CB9-1EF2-4BA1-A2F2-F87B717372FB> Download the update
* Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.7
Service Pack 1 installed -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=0AA7C8B7-8417-42D8-8E73-5466C03B8C65> Download the update
* Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8
installed -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2494B25D-452F-4025-8B67-41A5C840F7E2> Download the update
* Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8
Service Pack 1 installed -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=7358DA31-959C-4E3E-8115-51DC6D441365> Download the update
* Windows XP Service Pack 1 with Microsoft Data Access Components 2.8
installed -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2494B25D-452F-4025-8B67-41A5C840F7E2> Download the update

Note: The Affected Software section applies to MDAC that shipped with a
Microsoft Windows operating system. The Affected Components section
applies to MDAC that was downloaded and installed onto a Microsoft Windows
operating system.
Microsoft strongly recommends that all customers who currently use a
version of Windows that does not have Microsoft Data Access Components 2.7
Service Pack 1 or higher upgrade immediately to Microsoft Data Access
Components 2.8 Service Pack 1 or another supported version. The only
exception to this notice is customers who currently use Windows 2000
Service Pack 4 running Microsoft Data Access Components 2.5 Service Pack
3. See Knowledge Base Article 915387 for more information.
The security updates for Microsoft Windows Server 2003 and Microsoft
Windows Server 2003 Service Pack 1 also apply to Microsoft Windows Server
2003 R2.

Mitigating Factors for Microsoft Windows MDAC Vulnerability -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003>
CVE-2006-0003:
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site. It could also be possible to display
malicious Web content by using banner advertisements or by using other
methods to deliver Web content to affected systems.

An attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.

By default, Internet Explorer on Windows Server 2003 runs in a restricted
mode that is known as
<http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/esc_changes.asp> Enhanced Security Configuration. This mode mitigates this vulnerability in the e-mail vector because reading e-mail messages in plain text is the default configuration for Outlook Express. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.

Workarounds for Microsoft Windows MDAC Vulnerability -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003>
CVE-2006-0003:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

* Disable the RDS.Dataspace ActiveX control from running within Internet
Explorer
Disable attempts to instantiate the RDS.Dataspace ActiveX control in
Internet Explorer by setting the kill bit for the control.

Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that you can solve problems that result from
using Registry Editor incorrectly. Use Registry Editor at your own risk.

For example, to set the kill bit for a CLSID for this object, paste the
following text in a text editor such as Notepad. Then, save the file by
using the .reg file name extension.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{BD96C556-65A3-11D0-983A-00C04FC29E36}]"Compatibility
Flags"=dword: 00000400

Note For more information about how to prevent a control from running in
Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow the
procedure that this article provides to create a Compatibility Flags value
in the registry. By doing this, you will prevent the RDS.Dataspace ActiveX
control from being instantiated in Internet Explorer.

Impact of Workaround: Any Web-based application that requires the RDS
control to be instantiated within Internet Explorer will no longer
function correctly.

* Set Internet and Local intranet security zone settings to High to
prompt before running ActiveX controls in these zones
You can help protect against this vulnerability by changing your settings
for the Internet security zone to prompt before running ActiveX controls.
You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer,
follow these steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then
click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets
the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the
slider to High.
Repeat steps 1 through 3 for the Local intranet security zone by clicking
on the Local intranet icon.

Note Setting the level to High may cause some Web sites to work
incorrectly. If you have difficulty using a Web site after you change this
setting, and you are sure the site is safe to use, you can add that site
to your list of trusted sites. This will allow the site to work correctly
even with the security setting set to High.

Impact of Workaround: User will be prompted prior to running ActiveX
controls unless the Web site is in the user s list of trusted sites.

* Configure Internet Explorer to prompt before running ActiveX controls
or disable ActiveX controls in the Internet and Local intranet security
zone

You can help protect against this vulnerability by changing your settings
to prompt before running ActiveX controls or disable ActiveX controls in
the Internet and Local intranet security zone. To do this, follow these
steps:

1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then
click the Internet icon.
3. Click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run
ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run
ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.

Impact of Workaround: There are side effects to prompting before running
ActiveX controls. Many Web sites that are on the Internet or on an
intranet use ActiveX to provide additional functionality. For example, an
online e-commerce site or banking site may use ActiveX controls to provide
menus, ordering forms, or even account statements. Prompting before
running ActiveX controls is a global setting that affects all Internet and
intranet sites. You will be prompted frequently when you enable this
workaround. For each prompt, if you feel you trust the site that you are
visiting, click Yes to run ActiveX controls.


FAQ for Microsoft Windows MDAC Vulnerability -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003>
CVE-2006-0003:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.
If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

What causes the vulnerability?
Under certain conditions, the RDS.Dataspace ActiveX control fails to
ensure that it interacts safely when it is hosted on a Web page.

What is Remote Data Services (RDS)?
Remote Data Service (RDS) is a feature of ADO. You can use RDS to move
data from a server to a client application or to a Web page, to manipulate
the data on the client, and to return updates to the server in a single
round trip.

Who could exploit the vulnerability?
An attacker could create an e-mail message that is specially crafted to
try to exploit this vulnerability. An attacker could exploit the
vulnerability by sending this specially crafted e-mail message to a user
of a server that is running an affected software application. An attacker
could then persuade the user to click a link in the e-mail message. In a
Web-based attack scenario, an attacker would have to host a Web site that
contains a Web page that is used to attempt to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's site. It could also be possible to display malicious Web
content by using banner advertisements or by using other methods to
deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user is logged on and reading e-mail
messages or is visiting Web sites for any malicious action to occur.
Therefore, any systems where e-mail messages are read or where Internet
Explorer is used frequently, such as workstations or terminal servers, are
at the most risk from this vulnerability.

What does the update do?
The update removes the vulnerability by applying additional restrictions
to the behavior of the RDS.Dataspace ActiveX control when it is hosted on
a Web page.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages