RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)

• Previous message: Anders Thulin: "Odd entries in Win XP Pro Certificate MMC snap-in"
• Maybe in reply to: Harris, Ken: "Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 27 Nov 2002 08:51:27 -0800
From: "Brad Bemis" <Brad.Bemis@airborne.com>
To: "Harris, Ken" <KHarris@HIPUSA.com>, "Kolde, Jennifer E." <jkolde@nosc.mil>, focus-ms@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am a little leery about installing MDAC on client systems that do not
require the full suite of services it provides.

We have been updating our servers to MDAC 2.7, but rolling out the patch
via logon/shutdown scripts to our client base. I am not entirely happy
about the inherent flaw in this particular patch, but as I understand it,
the flaw revolves around the new component control for RDS being replace by
a pre-patched version.

Has anybody taken a good hard look at what discernable changes take place
when the pre-patched version is reintroduced?

I'd be interested in the possibility of identifying specific elements of
the control that can be tested by a script to determine which version is
currently active and reapplying the patch if indeed the old control
component has been reintroduced.

Does anyone have any thoughts on this?

- - Brad Bemis

- -----Original Message-----
From: Harris, Ken [mailto:KHarris@HIPUSA.com]
Sent: Tuesday, November 26, 2002 12:16 PM
To: 'Kolde, Jennifer E.'; 'focus-ms@securityfocus.com'
Subject: RE: Question: Buffer Overrun in Microsoft Data Access
Components Coul d Lead to Code Execution (Q329414)

Hello,

Thanks to all on focus-ms who replied, very good information indeed. It
looks like the best practice is to upgrade across the board to MDAC 2.7
(with proper testing) /unless/ there is a known inoperability requiring
2.6,
in which case the patch is our best (albeit weak) hope.

Thanks again for your help,

Ken Harris

- -----Original Message-----
From: Kolde, Jennifer E. [mailto:jkolde@nosc.mil]
Sent: Tuesday, November 26, 2002 1:21 PM
To: Harris, Ken; 'focus-ms@securityfocus.com'
Subject: RE: Question: Buffer Overrun in Microsoft Data Access Components
Coul d Lead to Code Execution (Q329414)

Hello Ken,

Sorry, trying again minus the digital signature.

Microsoft also (quietly) lists upgrading to MDAC 2.7 as another fix. The
information in the security bulletin is a bit confusing when you try to
figure out just what is going on and where the vulnerability lies. The way
I
read it, the problem lies both the version of MDAC used AND a specific
ActiveX control that is vulnerable. You are correct that even if you patch
your current version of MDAC, the vulnerable ActiveX control could still be
introduced.

MDAC 2.7 is not vulnerable to the problem according to Microsoft, so if you
upgrade to 2.7, the ActiveX issue becomes moot.

A possible concern is that, because MDAC brokers your database requests,
the
upgrade may affect your application based on any differences between the
older MDAC components and 2.7. I'm not a database guru (IANADBG???) so
you'd have to research/test this on your own.

MDAC can be downloaded from http://www.microsoft.com/data/, which also
includes documentation / changelogs for different versions. I did install
MDAC 2.7 on a Win2K Server with no ill effects, but the Server is not doing
anything specifically database-related.

Regards,
Jennifer

- -----Original Message-----
From: Harris, Ken [mailto:KHarris@HIPUSA.com]
Sent: Friday, November 22, 2002 2:39 PM
To: 'focus-ms@securityfocus.com'
Subject: Question: Buffer Overrun in Microsoft Data Access Components Coul
d
Lead to Code Execution (Q329414)

Hello all on focus-ms,

Was wondering if anyone had figured out the best practice fix to the
security flaw described here:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-065.asp

The reason I ask is that Microsoft does not seem to show much confidence in
this patch; e.g. in the Caveats section, it is implied that if a webpage
references the older, pre-patch RDS control, dependent upon the IE security
settings they will either be prompted to install the control, or it will be
installed silently if Microsoft is added to the Trusted Publishers list.

We happen to have a mission-critical custom webapp used internally which
does use RDS, and is in the Trusted Sites zone on our workstations.
However,
I can't guarantee that the developers of this solution will get around to
patching the server on which this runs, or changing the references in the
ASP pages. Microsoft is NOT in the Trusted Publishers list on our
workstation build, although there is nothing keeping our users from
clicking
"Always trust content from Microsoft".

Am I right in assuming that even if we deploy the patch to our
workstations,
unless the patch is also applied to the webapp and the code is changed, the
vulnerable control could be reinstalled and the workstation would be again
vulnerable to this attack from a malicious website? Is there a better
option? The client/server nature of this vulnerability makes me think that
we may see a worm written to exploit it soon.

Thanks in advance.

Regards,

Ken Harris

**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is
intended
only for the individual(s) named herein or others specifically authorized
to
receive the communication. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify the sender of the error immediately,
do not read or use the communication in any manner, destroy all copies, and
delete it from your system if the communication was sent via email.

**********************************************************************

-----BEGIN PGP SIGNATURE-----
Version: PGP Freeware, Ver 6.5.8CKT - Build 8
Comment: KeyID: 0xB8F26ADD
Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD

iQA/AwUBPeT4D5DnOfS48mrdEQJKFgCgwtrNt3zern6aYE/EJYiK3bVoCEwAoKyX
Dk2tNVSKKrP/Q2PpWuAxC5BS
=gFMM
-----END PGP SIGNATURE-----

• Next message: epic: "RE: Secure / Encrypt Terminal Services"
• Previous message: Anders Thulin: "Odd entries in Win XP Pro Certificate MMC snap-in"
• Maybe in reply to: Harris, Ken: "Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]