Security Watch

Keeping Track of patches and hacks in the IT security world.

MDAC Exploit Code Recipe Published

Exploit code is out for a critical MDAC vulnerability that Microsoft reported in its MS07-009 bulletin, so if you haven't patched yet, better hop to it.

The vulnerability, which can allow a remote attacker to take over a PC, is in Microsoft's Data Access Components. Microsoft provided a fix for the vulnerability on Patch Tuesday, Feb. 13 .

Security firm Websense Security Labs is reporting that full exploit code for the flaw was published this morning. Websense said its scanners are "actively searching for any live sites that are attempting to exploit this vulnerability."

Websense also said hackers are fond of this type of vulnerability and we can look forward to its usage increasing "substantially" now that somebody's put the exploit recipe out there.

Well-known hacker and co-founder of the Metasploit Framework HD Moore originally demonstrated the flaw—which was only a denial of service at the time—as #29 in his Month of Browser Bugs in July 2006.

Moore demonstrated the bug on what was then the latest version of Internet Explorer 6, on a fully patched Windows XP SP2 system.

As Microsoft describes it, "A remote code execution vulnerability exists in the ADODB.Connection ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

Microsoft also said that in a Web-based attack, the attacker would need to host a Web site with a Web page used to exploit the vulnerability. The attacker has no way to force users to visit such a page, but could persuade users to visit with a link in a scam e-mail or IM message. If the attacker succeeded in luring a user in, he or she could gain the same rights as the logged-in user.

Another mitigating factor is that by default, Microsoft Outlook and Outlook Express open HTML e-mail in the Restricted site zone. That zone prevents Active Scripting and ActiveX controls from launching when the user is reading HTML e-mail. But if the user were to click on a malicious link, all bets would be off and the attack could go through successfully.

Also, IE on Windows Server 2003 runs in a restricted mode known as Enhanced Security Configuration, which sets the security level for the Internet zone to High.

Websense recommends that users apply the patch immediately if they haven't already.

*This entry was changed to reflect that this flaw is in MDAC, not in IE.