There is a serious security flaw in a technology included in many versions of Windows and Internet Explorer that enables an attacker to gain complete control of vulnerable Web servers or client machines.
The flaw lies in the Microsoft Data Access Components, a collection of components used to provide database connectivity on Windows. The MDAC components are typically used to connect to remote databases or return data to a client machine.
The buffer overrun vulnerability is in the Remote Data Services (RDS) Data Stub implementation, which parses incoming HTTP requests and creates RDS commands. By sending a specially formatted request to the Data Stub, an attacker could cause any code of choice to overflow onto the heap and execute, Microsoft Corp. said in its advisory, published Wednesday.
On client machines, this attack would either take the form of a malicious Web page hosted by the attacker or sent via HTML mail. To compromise a server, the attacker would only need to connect to the server and send the HTTP request.
MDAC installs by default as part of Windows Me, 2000 and XP and in IE 5.01, 5.5 and 6.0. Its also included in the NT 4.0 Option Pack and can be downloaded on its own. However, the version of MDAC that ships with Windows XP–Version 2.7–is not affected.
Virtually any Windows PC that is running IE is vulnerable to this attack, as MDAC is included with every current version of the browser, and there is no way to disable it. Any code that the attacker is able to run on a vulnerable machine would run in the security context of the local user.
For Web servers, the attackers code would run in the security context of IIS, which has system privileges by default.
The patch for this vulnerability is located here.