Browsers - MDAC Exploit Code Recipe Published - eWeek Security Watch
Security Watch
SHARE
Facebook X Pinterest WhatsApp

MDAC Exploit Code Recipe Published

Written By
Lisa Vaas
Lisa Vaas
Mar 27, 2007
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Exploit code is out for a critical MDAC vulnerability that Microsoft reported in its MS07-009 bulletin, so if you haven’t patched yet, better hop to it.

The vulnerability, which can allow a remote attacker to take over a PC, is in Microsoft’s Data Access Components. Microsoft provided a fix for the vulnerability on Patch Tuesday, Feb. 13 .

Security firm Websense Security Labs is reporting that full exploit code for the flaw was published this morning. Websense said its scanners are “actively searching for any live sites that are attempting to exploit this vulnerability.”

Websense also said hackers are fond of this type of vulnerability and we can look forward to its usage increasing “substantially” now that somebody’s put the exploit recipe out there.

Well-known hacker and co-founder of the Metasploit Framework HD Moore originally demonstrated the flaw—which was only a denial of service at the time—as #29 in his Month of Browser Bugs in July 2006.

Moore demonstrated the bug on what was then the latest version of Internet Explorer 6, on a fully patched Windows XP SP2 system.

As Microsoft describes it, “A remote code execution vulnerability exists in the ADODB.Connection ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.”

Microsoft also said that in a Web-based attack, the attacker would need to host a Web site with a Web page used to exploit the vulnerability. The attacker has no way to force users to visit such a page, but could persuade users to visit with a link in a scam e-mail or IM message. If the attacker succeeded in luring a user in, he or she could gain the same rights as the logged-in user.

Another mitigating factor is that by default, Microsoft Outlook and Outlook Express open HTML e-mail in the Restricted site zone. That zone prevents Active Scripting and ActiveX controls from launching when the user is reading HTML e-mail. But if the user were to click on a malicious link, all bets would be off and the attack could go through successfully.

Also, IE on Windows Server 2003 runs in a restricted mode known as Enhanced Security Configuration, which sets the security level for the Internet zone to High.

Websense recommends that users apply the patch immediately if they haven’t already.

*This entry was changed to reflect that this flaw is in MDAC, not in IE.
Lisa Vaas
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information