RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)

From: Fraser Hugh (hugh_fraser@dofasco.ca)
Date: 11/28/02

Next message: Stacy Olivas: "RE: Secure / Encrypt Terminal Services"

Previous message: Fraser Hugh: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
Maybe in reply to: Harris, Ken: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Fraser Hugh <hugh_fraser@dofasco.ca>
To: "'Harris, Ken'" <KHarris@HIPUSA.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Thu, 28 Nov 2002 10:37:41 -0500

I have the same concerns with the message contained in the security
bulletin. When I read between the lines, it seems to me that the "more
permanent" solution referred to will be the one Microsoft already has in
their back pocket... upgrade to 2.7. It is possible to prevent users from
adding entries to the trusted publishers list, but when combined with
removing Microsoft from the Trusted Publishers, it results in an
unacceptable browser configuration for us.

We are, therefore, focusing our resources on a 2.7 upgrade for our systems.

I'd like to hear from others about their reaction/solution to the bulletin.
While Microsoft categorizes the vulnerability as critical, our
representative was surprised we were calling for any info about it.
Apparently we were the only ones.

> -----Original Message-----
> From: Harris, Ken [mailto:KHarris@HIPUSA.com]
> Sent: Friday, November 22, 2002 5:39 PM
> To: 'focus-ms@securityfocus.com'
> Subject: Question: Buffer Overrun in Microsoft Data Access Components
> Coul d Lead to Code Execution (Q329414)
>
>
> Hello all on focus-ms,
>
> Was wondering if anyone had figured out the best practice fix to the
> security flaw described here:
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/security/
> bulletin/MS02-065.asp
>
> The reason I ask is that Microsoft does not seem to show much
> confidence in
> this patch; e.g. in the Caveats section, it is implied that
> if a webpage
> references the older, pre-patch RDS control, dependent upon
> the IE security
> settings they will either be prompted to install the control,
> or it will be
> installed silently if Microsoft is added to the Trusted
> Publishers list.
>
> We happen to have a mission-critical custom webapp used
> internally which
> does use RDS, and is in the Trusted Sites zone on our
> workstations. However,
> I can't guarantee that the developers of this solution will
> get around to
> patching the server on which this runs, or changing the
> references in the
> ASP pages. Microsoft is NOT in the Trusted Publishers list on our
> workstation build, although there is nothing keeping our
> users from clicking
> "Always trust content from Microsoft".
>
> Am I right in assuming that even if we deploy the patch to
> our workstations,
> unless the patch is also applied to the webapp and the code
> is changed, the
> vulnerable control could be reinstalled and the workstation
> would be again
> vulnerable to this attack from a malicious website? Is there a better
> option? The client/server nature of this vulnerability makes
> me think that
> we may see a worm written to exploit it soon.
>
> Thanks in advance.
>
> Regards,
>
> Ken Harris
>
>
> **********************************************************************
> This message is a PRIVILEGED AND CONFIDENTIAL communication,
> and is intended only for the individual(s) named herein or
> others specifically authorized to receive the communication.
> If you are not the intended recipient, you are hereby
> notified that any dissemination, distribution or copying of
> this communication is strictly prohibited. If you have
> received this communication in error, please notify the
> sender of the error immediately, do not read or use the
> communication in any manner, destroy all copies, and delete
> it from your system if the communication was sent via email.
>
>
>
>
> **********************************************************************
>

Next message: Stacy Olivas: "RE: Secure / Encrypt Terminal Services"
Previous message: Fraser Hugh: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
Maybe in reply to: Harris, Ken: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q32
... recommendation to upgrade to MDAC 2.7 sp1 which, as far as I can tell, ... Subject: Question: Buffer Overrun in Microsoft Data Access Components ... > others specifically authorized to receive the communication. ...
(Focus-Microsoft)
[NT] Cumulative Security Update for Internet Explorer (MS04-025)
... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
(Securiteam)
SecurityFocus Microsoft Newsletter #75
... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #120
... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
(Focus-Microsoft)
Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
... Now if the geeks over at Microsoft could get "infected" with some of this ... The Internet is already mind blowing in the way it can bring people ... that creates an unacceptable risk of security compromise and we need to shut ... down all Internet browsing with IE. ...
(microsoft.public.security.virus)