News

Critical Vulnerability Affects Most Windows Systems

Microsoft warned users late Wednesday of a critical new vulnerability involving the Microsoft Data Access Components, a ubiquitous technology present on most Windows systems. Especially vulnerable are Web servers in the middle of three-tier architectures with a SQL Server database at the back end and most Internet Explorer users.

Microsoft also issued an unrelated cumulative patch for Internet Explorer.

The critical vulnerability is a buffer overrun involving Remote Data Services (RDS), a component of MDAC. Microsoft describes MDAC as providing underlying functionality for a number of database operations. An unchecked buffer in a function called the RDS Data Stub permits an attacker to use a specially malformed HTTP request to cause a heap overrun. A sophisticated attack could result in the attacker to execute code on the target machine.

"Web server administrators should either install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7, which is not affected by the vulnerability. Web client users should install the patch immediately on any system that is used for Web browsing," Microsoft's bulletin warns.

What makes the vulnerability especially serious for Internet Explorer is that the RDS Data Stub is included with all current versions of IE and there is no option to disable it. To exploit the vulnerability, an attacker would need to lure a user to a Web page that would send an HTTP reply to the user that would overrun the buffer.

A patch is available at www.microsoft.com/technet/security/bulletin/ms02-065.asp.

The separate cumulative Internet Explorer patch fixes six newly discovered vulnerabilities. It can be found at www.microsoft.com/technet/security/bulletin/ms02-066.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus