Does this patch include any other security fixes?
Yes - this patch includes the fix for the security vulnerability that is discussed in Microsoft Security Bulletin MS02-040. Customers who want to install the patch for the vulnerability discussed in MS02-040 should install the patch in this security bulletin; it supercedes the patch in MS02-040.
What's the scope of this vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this flaw could gain the same level of privileges over the system as the application which initiated the broadcast request. The actions an attacker could carry out on the system would be dependent on the permissions which the application using MDAC ran under.
If the application ran with limited privileges, an attacker would be limited accordingly; however, if the application runs under the local system context, the attacker would have the same level of permissions. This could include creating, modifying, or deleting data on the system, or reconfiguring it the system. This could also include reformatting the hard disk or running programs of the attacker's choice on it.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a specific MDAC component. If an attacker were able to successfully exploit this vulnerability, it could allow them to gain control over the system and take any action that the legitimate process executing MDAC could take.
What is Microsoft Data Access Components?
Microsoft Data Access Components (MDAC) is a collection of components that make it easy for programs to access databases and to change the data within them. Modern databases may take a variety of forms (for example, SQL Server databases, Microsoft Access databases, and XML files) and may be housed in a variety of locations (for example, on the local system or on a remote database server).
MDAC provides a consolidated set of functions for working with these data sources in a consistent manner. (A good discussion of MDAC and the components that it provides is available on MSDN).
What's wrong with the affected MDAC component?
When a client machine is trying to see list of Microsoft SQL Servers residing on the network, it will send a broadcast request to all devices on the network. Due to a flaw in a specific MDAC component, an attacker could respond with a specially crafted packet causing a buffer overflow to occur.
The flaw results because the client does not appropriately validate the data that is contained in the packet.
Do I have MDAC on my system?
It is very likely that you do as MDAC is a ubiquitous technology:
• | MDAC installs as part of Windows XP, Windows Millennium Edition, Windows 2000 and Windows Server 2003. (It is worth noting, though, that the version that is installed by Windows Server 2003 does not have this vulnerability.) |
• | MDAC is available for download from the Microsoft Web site. |
• | MDAC is installed by many other Microsoft applications. To name just a few cases, it's installed as part of the Windows NT 4.0 Option Pack and by both Microsoft Access and SQL Server. |
• | Some of the components in MDAC are included in other Microsoft technologies. For instance, Internet Explorer includes some MDAC functions. |
A tool is available that can help you determine what version of MDAC is running on your system. Microsoft Knowledge Base article 307255 describes this tool and explains how to use it.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to reply to a client system request with a malformed User Datagram Protocol (UDP) packet, which would cause a buffer overrun to occur.
If an attacker were to successfully exploit this vulnerability, they could take any action that they wanted to on the system that the overrun process could take.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by simulating a SQL server that listens on a network for a client system to request an enumeration of all systems on the specific network that are running SQL Server. By replying to that request with a specially crafted packet, an attacker could cause a buffer overrun to occur in a specific MDAC component on the client system.
What does the patch do?
This patch eliminates the vulnerability by validating that the number of bytes that are specified in the reply is of an appropriate value.