[windows2000] Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)

  • From: "Greg Reese" <GReese@xxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>, <windows2000@xxxxxxxxxxxxx>
  • Date: Wed, 20 Nov 2002 16:34:45 -0500

Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I am not sure if this has been posted yet or not.  Either way, here it =
is.

Greg

Link may wrap:
http://www.microsoft.com/technet/treeview/default.asp?url=3D/technet/secu=
rity/bulletin/MS02-065.asp

Buffer Overrun in Microsoft Data Access Components Could Lead to Code =
Execution (Q329414)
Originally posted: November 20, 2002=20
Summary
        Who should read this bulletin: Customers using Microsoft=AE Windows=AE, 
=
particularly those who operate web sites or browse the Internet.=20
        Impact of vulnerability: Run code of attacker's choice=20
        Maximum Severity Rating: Critical=20
        Recommendation: Users should apply the patch immediately.=20
        Affected Software:=20
*       Microsoft Data Access Components (MDAC) 2.1=20
*       Microsoft Data Access Components (MDAC) 2.5=20
*       Microsoft Data Access Components (MDAC) 2.6=20
*       Microsoft Internet Explorer 5.01=20
*       Microsoft Internet Explorer 5.5=20
*       Microsoft Internet Explorer 6.0=20
        Note: The vulnerability does not affect Windows XP, despite the fact =
that it uses Internet Explorer 6.0. Windows XP customers do not need to =
take any action.=20
        End User Bulletin: An end user version of this bulletin is available =
at: <http://www.microsoft.com/security/security_bulletins/ms02-065.asp>=20
 <<ole0.bmp>> Technical details=20
        Technical description:=20
=09
        Microsoft Data Access Components (MDAC) is a collection of components =
used to provide database connectivity on Windows platforms. MDAC is a =
ubiquitous technology, and it is likely to be present on most Windows =
systems:=20
*       It is included by default as part of Windows XP, Windows 2000, and =
Windows Millennium.=20
*       It is available for download as a stand-alone technology in its own =
right=20
*       It is either included in or installed by a number of other products =
and technologies. For instance, MDAC is included in the Windows NT=AE =
4.0 Option Pack, and some MDAC components are present as part of =
Internet Explorer even if MDAC itself is not installed.=20
        MDAC provides the underlying functionality for a number of database =
operations, such as connecting to remote databases and returning data to =
a client. One of the MDAC components, known as Remote Data Services =
(RDS), provides functionality that support three-tiered architectures - =
that is, architectures in which a client's requests for service from a =
back-end database are intermediated through a web site that applies =
business logic to them. A security vulnerability is present in the RDS =
implementation, specifically, in a function called the RDS Data Stub, =
whose purpose it is to parse incoming HTTP requests and generate RDS =
commands.=20
        A security vulnerability resulting from an unchecked buffer in the Data 
=
Stub affects versions of MDAC prior to version 2.7 (the version that =
shipped with Windows XP). By sending a specially malformed HTTP request =
to the Data Stub, an attacker could cause data of his or her choice to =
overrun onto the heap. Although heap overruns are typically more =
difficult to exploit than the more-common stack overrun, Microsoft has =
confirmed that in this case it would be possible to exploit the =
vulnerability to run code of the attacker's choice on the user's system. =

        Both web servers and web clients are at risk from the vulnerability:=20
*       Web servers are at risk if a vulnerable version of MDAC is installed =
and running on the server. To exploit the vulnerability against such a =
web server, an attacker would need to establish a connection with the =
server and then send a specially malformed HTTP request to it, that =
would have the effect of overrunning the buffer with the attacker's =
chosen data. The code would run in the security context of the IIS =
service (which, by default, runs in the LocalSystem context)=20
*       Web clients are at risk in almost every case, as the RDS Data Stub is =
included with all current versions of Internet Explorer and there is no =
option to disable it. To exploit the vulnerability against a client, an =
attacker would need to host a web page that, when opened, would send an =
HTTP reply to the user's system and overrun the buffer with the =
attacker's chosen data. The web page could be hosted on a web site or =
sent directly to users as an HTML Mail. The code would run in the =
security context of the user.=20
        Clearly, this vulnerability is very serious, and Microsoft recommends =
that all customers whose systems could be affected by them take =
appropriate action immediately.=20
*       Customers using Windows XP, or who have installed MDAC 2.7 on their =
systems are at no risk and do not need to take any action.=20
*       Web server administrators who are running an affected version of MDAC =
should either install the patch, disable MDAC and/or RDS, or upgrade to =
MDAC 2.7, which is not affected by the vulnerability.=20
*       Web client users who are running an affected version of MDAC should =
install the patch immediately on any system that is used for web =
browsing. It is important to stress that the latter guidance applies to =
any system used for web browsing, regardless of any other protective =
measures that have already been taken. For instance, a web server on =
which RDS had been disabled would still need the patch if it was =
occasionally used as a web client.=20
        Before deploying the patch, customers should familiarize themselves =
with the caveats discussed in the FAQ and in the Caveats section below.=20
        Mitigating factors:=20
        Web Servers=20
*       Web servers that are using MDAC version 2.7 (the version that shipped =
with Windows XP) or later are not aat risk from the vulnerability.=20
*       Even if a vulnerable version of MDAC were installed, a web server =
would only be at risk if RDS were enabled. RDS is disabled by default on =
clean installations of Windows XP and Windows 2000, and can be disabled =
on other systems by following the guidance in the IIS Security Checklist =
<http://www.microsoft.com/technet/security/tools/chklist/iis4cl.asp?frame=
=3Dtrue>. In addition, the IIS Lockdown Tool =
<http://www.microsoft.com/technet/security/tools/tools/locktool.asp> =
will automatically disable RDS when used in its default configuration.=20
*       If the URLScan =
<http://www.microsoft.com/technet/security/tools/tools/urlscan.asp> tool =
were deployed with its default ruleset (which allows only ASCII data to =
be present in an HTTP request), it is likely that the vulnerability =
could only be used for denial of service attacks.=20
*       IIS can be configured to run with fewer than administrative =
privileges. If this has been done, it would likewise limit the =
privileges that an attacker could gain through the vulnerability.=20
*       IP address restrictions, if applied to the RDS virtual directory, =
could enable the administrator to restrict access to only trusted users. =
This is, however, not practical for most web server scenarios.=20
        Web clients=20
*       Web clients that are using MDAC version 2.7 (the version that shipped =
with Windows XP) or later are not at risk from the vulnerability.=20
*       The HTML mail-based attack vector could not be exploited automatically =
on systems where Outlook 98 or Outlook 2000 were used in conjunction =
with the Outlook Email Security Update =
<http://office.microsoft.com/Downloads/2000/Out2ksec.aspx>, or Outlook =
Express 6 or Outlook 2002 were used in their default configurations.=20
*       Exploiting the vulnerability would convey to the attacker only the =
user's privileges on the system. Users whose accounts are configured to =
have few privileges on the system would be at less risk than ones who =
operate with administrative privileges.=20
        Severity Rating:=20
        =09
MDAC 2.1        Critical=09
MDAC 2.5        Critical=09
MDAC 2.6        Critical=09
MDAC 2.7        Not affected=09
Internet Explorer 5.01  Critical=09
Internet Explorer 5.5   Critical=09
Internet Explorer 6.0   Critical=09
The above assessment =
<http://www.microsoft.com/technet/security/topics/rating.asp> is based =
on the types of systems affected by the vulnerability, their typical =
deployment patterns, and the effect that exploiting the vulnerability =
would have on them. This vulnerability is rated critical because an =
attacker could take over an IIS server or an Internet Explorer client =
and run code. Any IIS server with MDAC and all Internet Explorer clients =
should apply the patch immediately.=20
        Vulnerability identifier: CAN-2002-1142 =
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1142>=20
        Tested Versions:
        Microsoft tested MDAC 2.1, 2.5, 2.6 and 2.7 to assess whether they are =
affected by the server-side vulnerability. In addition, Microsoft also =
tested Internet Explorer 5.01, 5.5 and 6.0 to assess whether they are =
affected by the client-side vulnerability. Previous versions are no =
longer supported =
<http://support.microsoft.com/directory/discontinue.asp>, and may or may =
not be affected by these vulnerabilities.
 <<ole1.bmp>> Frequently asked questions=20
        What vulnerability is eliminated by the patch?=20
        This patch eliminates a security vulnerability affecting many web =
servers and clients. However, before installing it, it's worth reviewing =
an important caveat associated with the patch.=20
=09
=09
=09
=09
        What caveats are associated with the patch?=20
        Although the patch does address the vulnerability, there is a niche =
scenario through which a patched system could, under unusual conditions, =
be made vulnerable again. This scenario results because it is not =
possible to set the "Kill Bit" used by one of the vulnerable components. =

        What's the "Kill Bit"?=20
        The Kill Bit is a method by which an ActiveX control can be prevented =
from ever being invoked via Internet Explorer, even if it's present on =
the system. (More information on the Kill Bit is available in Microsoft =
Knowledge Base article Q240797). Typically, when a security =
vulnerability involves an ActiveX control, the patch delivers a new =
control and sets the Kill Bit on the vulnerable control. However, it =
isn't feasible to do so in this case.=20
        Why isn't it feasible to set the Kill Bit in this case?=20
        The ActiveX control involved in these vulnerabilities is used in many =
applications and web pages to access data. Many applications, including =
third-party applications, contain hard-coded references to it; if the =
patch set the Kill Bit, the web pages would no longer function at all - =
even with the new, corrected version. As a result, the patch updates the =
control to remove the vulnerabilities, but does not provide a brand-new =
control and set the Kill Bit on the old one.=20
        What the risk associated with taking this approach?=20
        Because the ActiveX control at issue here has been digitally signed by =
Microsoft, and the signature is still valid, it could be possible under =
certain conditions for an attacker to re-introduce the old, vulnerable =
version of the control onto a system that had been patched, thereby =
making it vulnerable again. In order for this happen, though, the user =
would need to either visit a web site operated by a malicious person or =
open an HTML mail from one. (It's worth noting that in the case of HTML =
mail, customers using either Outlook 6 or Outlook 2002 in the default =
configuration, or Outlook 98 or 2000 in conjunction with the Outlook =
Email Security Update =
<http://office.microsoft.com/Downloads/2000/Out2ksec.aspx>, would be at =
no risk).=20
        Why would an attacker be able to silently re-introduce the old version =
of the control? Shouldn't there be a warning message?=20
        A warning message is generated anytime there's an error associated with 
=
a digital signature (e.g., a bad signature or expired certificate) or =
the signer isn't trusted. But in this case, the digital signature on the =
old version of the control is still valid, and the signer is Microsoft - =
which is a trusted publisher in many cases. Because of this, most users =
would not see a warning message of any kind if the old control was =
re-introduced.=20
        Why not revoke the certificate that was used to sign the control?=20
        The certificate that was used to sign the control is still valid - the =
problem lies in the control, not the certificate. In addition, a number =
of controls have been signed using the same certificate, and revoking =
the certificate would cause all of them to become invalid.=20
        What steps could I follow to prevent the control from being silently =
re-introduced onto my system?=20
        The simplest way is to make sure you have no trusted publishers, =
including Microsoft. If you do that, any attempt by either a web page or =
an HTML mail to download an ActiveX control will generate a warning =
message. Here's how to empty the Trusted Publishers list:=20
                In Internet Explorer, choose Tools, then Internet Options.=20
                Select the Content tab. In the Certificates section of the 
page, click =
on Publishers.=20
                In the Certificates dialog, click on the Trusted Publishers 
tab.=20
                For each certificate in the list, click on the certificate and 
then =
select Remove. Confirm that you want to remove the entry.=20
                When you've removed all entries from the list, select Close to 
close =
the Certificates dialog, then click on OK to close the Internet Options =
dialog.=20
After emptying the Trusted Publishers list, if I do see a warning saying =
that a web site or an HTML mail wants to download a control, how can I =
decide whether to let it proceed?=20
        The best criterion to use is whether you trust the web site or the =
sender of the HTML mail. If you don't trust the web site offering the =
control, cancel the download.=20
        Will Microsoft eventually set the Kill Bit on this control?=20
        Yes. Microsoft is developing a new technology that will enable it to =
set the Kill Bit on the vulnerable version of the control without =
forcing users to re-author web pages containing references to these =
controls. When the new technology is available, we will ensure that this =
fix uses it.=20
=09
=09
=09
=09
        What's the scope of the vulnerability?=20
        This is a buffer overrun =
<http://www.microsoft.com/technet/security/bulletin/glossary.asp> =
vulnerability. An attacker who successfully exploited it could gain =
complete control over an affected system, thereby gaining the ability to =
take any action that the legitimate user could take. This could include =
creating, modifying or deleting data on the system, reconfiguring it, =
reformatting the hard drive, or running programs of the attacker's =
choice on it. The vulnerability poses a risk both to web servers and web =
clients, and Microsoft recommends that all users take action immediately =
to ensure that their systems are protected against it.=20
        Windows XP systems, whether serving as Web servers or clients, are not =
affected by the vulnerability. Other systems have varying degrees of =
options available to them:=20
*       Web servers have a range of actions they can take to protect their =
systems, from installing the patch to disabling the affected function. =
Even in cases where a server is vulnerable, tools such as URLScan would =
likely limit the use of the vulnerability to denial of service attacks =
only.=20
*       Web clients - including Web servers that are sometimes used for Web =
browsing - have fewer options. Web clients running anything but Windows =
XP can only be made secure by applying the patch.=20
        What causes the vulnerability
        The vulnerability results because of an unchecked buffer in one of the =
Microsoft Data Access Components - specifically, the Remote Access =
Service Data Stub.
        What are the Microsoft Data Access Components?
        Microsoft Data Access Components =
<http://msdn.microsoft.com/library/default.asp?url=3D/library/en-us/dnmda=
c/html/technologyfeatures.asp> (MDAC) is a collection of components that =
make it easy for programs to access databases and manipulate the data =
within them. Modern databases may take a variety of forms (e.g., SQL =
databases, Access databases, XML files, and so forth) and be housed in a =
variety of locations (e.g., on the local system or on a remote database =
server). MDAC provides a consolidated set of functions for working with =
all of them in a consistent manner.
        Do I have MDAC on my system?
        The answer is almost certainly yes. MDAC is a ubiquitous technology:=20
*       * It installs as part of Windows XP, Windows Me, Windows 2000. (It's =
worth noting, though, that the version installed by Windows XP does not =
have this vulnerability)=20
*       It's available for download from the Microsoft web site =
<http://www.microsoft.com/data/>.=20
*       It's installed by many other Microsoft applications. To name just a =
few cases, it's installed as part of the Windows NT 4.0 Option Pack and =
by both Microsoft Access and SQL Server.=20
*       Some of the components in MDAC are included in other Microsoft =
technologies. For instance, Internet Explorer includes some MDAC =
functions. As we'll discuss later, this turns out to be an important =
factor in this case.=20
        What are the Remote Data Services?
        Remote Data Services (RDS =
<http://msdn.microsoft.com/library/default.asp?url=3D/library/en-us/dnrds=
/html/msdn_remtdata.asp>) is a component of MDAC. RDS provides a =
function that's frequently needed in Internet-based scenarios, namely, =
the ability to access data sources indirectly through a three-tiered =
system. If you've ever visited a web site that implements a search =
function, you've participated in a three-tiered =
<http://msdn.microsoft.com/library/default.asp?url=3D/library/en-us/csvr2=
002/htm/cs_pl_deployment_rttm.asp> database system. In such a system, =
the user (who occupies the so-called User Interface Tier) interrogates a =
database (which occupies the so-called Database Tier), but doesn't do so =
directly. Instead, he or she provides requests to an intermediary tier, =
known as the Business Logic Tier. In most Internet scenarios, the =
Business Logic Tier resides on a web server.=20
        The purpose of the Business Logic Tier is to determine what the user =
wants, translate that request into a series of database commands, check =
those commands to ensure that the user is really allowed to make them, =
and then send them to the Database Tier. When the response from the =
database arrives, the Business Logic Tier may need to translate the =
results into a form that's more meaningful for the user. RDS provides =
many of the functions needed to implement the Business Logic Tier of =
such a system; specifically, it provides functions that, on a web =
server, allow it to interpret database requests from a client and, on a =
client, interpret responses to such requests when they're received from =
the web server.=20
        What's wrong with RDS?
        One of the components of RDS that was delivered in MDAC 2.4, 2.5 and =
2.6 contains an unchecked buffer. On the server side, this component is =
known as the RDS Data Stub and on the client side it is called the Data =
Space cotrol. These components implement some of the functionality of =
the Business Logic Tier. In particular, the Data Stub processes HTTP =
requests and transforms them into RDS requests that can then be passed =
to the RDS core functionality for processing.
        What do you mean when you say that the RDS Data Stub has an unchecked =
buffer?
        A buffer is a location in memory that's allocated to hold data of some =
type. It's the responsibility of the program that owns the buffer (in =
this case, the RDS Data Stub) to ensure that it never puts more data =
into the buffer than it can hold - otherwise, the data will spill into =
surrounding memory and overwrite the data there, resulting in a buffer =
overrun.=20
        Buffer overruns are dangerous. In the least serious case, if a buffer =
were overrun with random data, it would have the effect of corrupting =
the memory that it overran; in most cases, this would lead to the =
program, or potentially the system itself, failing. But if the buffer =
were overrun with carefully selected data, the effect could be to, in =
essence, alter the program so that it now performed new functions. =
Clearly, any flaw that could enable an attacker to turn an already =
running program to his or her own purposes is serious.=20
        What would this vulnerability enable an attacker to do?
        This vulnerability would enable an attacker to send an HTTP request to =
an affected system that, when processed by the RDS Data Stub, would =
cause a buffer overrun. Potentially, any system that has MDAC, and in =
particular RDS, installed and running is at risk. But two types of =
systems are at special risk:=20
*       Web servers. Many web servers have vulnerable versions of RDS running =
on them. If an attacker successfully exploited the vulnerability against =
such a server, he or she could either destabilize it or, in the worst =
case, gain complete control over it. The attacker could then deface web =
pages, attack users who subsequently visited the site, or simply =
reformat the hard drive.=20
*       Web clients. By a web client, we mean any system that's used to =
process web pages; typical examples include home computers, laptops or =
workstations that are used to browse the Web or handle email. The RDS =
Data Stub is present on these systems as part of Internet Explorer. If =
an attacker successfully exploited the vulnerability against such a =
system, he or she could either cause Internet Explorer fail (which would =
have no lasting effects) or, in the worst case, gain the user's =
privileges on it. The attacker could then take any action on the system =
that the user could take.=20
        Who could exploit the vulnerability?
        It would depend on whether the attacker wanted to exploit the =
vulnerability against a web server or a web client.=20
*       Web server. Any user who could establish a web session with an =
affected server could exploit the vulnerability, by sending it an =
appropriate HTTP request.
*       Web client. A user could exploit the vulnerability against a web =
client if he or she were able to construct a web page that would send an =
appropriate HTTP command, and then convince a user to open it. =
Typically, this would be done by either hosting the page on a web site =
that the attacker controlled or sending it directly to users as an HTML =
mail.=20
        I run a web server. How can I tell whether my system is at risk?
        In order for a web server to be at risk from the vulnerability, both of 
=
the following must be true:=20
*       A vulnerable version of MDAC must be installed on the server. The most =
recent version of MDAC, version 2.7 (which ships as part of Windows XP), =
does not contain this vulnerability. However, most previous versions are =
vulnerable.=20
*       RDS must be running in Internet Information Services (IIS). In IIS 5.0 =
and 5.1, RDS is disabled by default (unless the system was upgraded from =
a previous version of Windows). Even in cases where RDS does run by =
default, it can be disabled as discussed in the IIS Security Checklist =
<http://www.microsoft.com/technet/security/tools/chklist/iis4cl.asp?frame=
=3Dtrue>. The IIS Lockdown Tool =
<http://www.microsoft.com/technet/security/tools/tools/locktool.asp> =
will also automatically disable RDS when used in its default =
configuration.=20
        It's important to keep in mind, though, that if the web server is also =
used as a web client occasionally (that is, if you browse the web or =
read email from the server), it could still be at risk. The server-based =
and client-based vulnerabilities are completely independent of one =
another.=20
        I've installed the URLScan tool on my web server. Will it help protect =
my system?
        Yes. The URLScan =
<http://www.microsoft.com/technet/security/tools/tools/urlscan.asp> tool =
restricts the type of HTTP requests that the server will process. Of =
particular interest in this case is the fact that URLScan's default =
ruleset will only allow HTTP requests to be processed by the server if =
they consist of only ASCII data. It would be extremely difficult to =
create a request that would alter the operation of the IIS service using =
only valid ASCII data; however, even in this case, an attacker could =
still cause the service to fail.
        My system is a web client. How can I tell if it's at risk?
        The first thing to do is check whether you're running Windows XP. If =
you are, your system is at no risk - the version of MDAC that shipped =
with Windows XP does not contain the vulnerability.=20
        All other versions of Windows are at risk. Several versions of Windows =
ship with a vulnerable version of MDAC, as did several versions of =
Internet Explorer. As a result, systems running anything other than =
Windows XP are almost certainly at risk and need the patch.=20
        You said that Windows XP isn't vulnerable, but that customers using =
Internet Explorer 6.0 are. Yet Internet Explorer 6.0 shipped as part of =
Windows XP. Why isn't Windows XP vulnerable?=20
        When Internet Explorer 6.0 is installed on a system, it checks to see =
whether there's a version of MDAC already installed; if there isn't one, =
it installs it. In the case of Windows XP, a version of MDAC is already =
installed - one that isn't affected by the vulnerability - and so =
Internet Explorer 6.0 uses that version.=20
        Does the web site-based or HTML mail-based attack vector pose the =
greater threat to web clients?=20
        There would be advantages and disadvantages for the attacker regardless 
=
of the attack vector chosen. The primary advantage, from the attacker's =
perspective, of hosting the web page on a web site is that most =
computers would be vulnerable to such an attack unless the patch had =
been installed. The primary disadvantage is that the attacker wouldn't =
have any way to force users to visit the site. Instead, he or she would =
need to lure them there, typically by getting them to click a link that =
would take them to the attacker's site.=20
        In contrast, sending the web page as an HTML mail would offer the =
attacker the advantage of being able to target specific users, and send =
it directly to them. The primary disadvantage is that the HTML =
mail-based attack would fail on many users' systems. Specifically, even =
without the patch, the vulnerability could not be exploited via HTML =
mail on systems where Outlook 98 or Outlook 2000 were used in =
conjunction with the Outlook Email Security Update =
<http://office.microsoft.com/Downloads/2000/Out2ksec.aspx>, or Outlook =
Express 6 or Outlook 2002 were used in their default configurations.
        My system is a web server, and I've confirmed that it's not vulnerable. 
=
However, I also sometimes browse the Web from that system. Do I need to =
install the patch?
        Yes. Any system that acts as a web client needs the patch. This is true 
=
even if the system also happens to be a web server, and even if the web =
server has been configured in a way to protects it from the =
vulnerability.
        Is there a separate patch for MDAC and Internet Explorer?
        No. We have developed a single patch that will install the fixes for =
both MDAC and Internet Explorer at the same time. The patch will =
determine what version of MDAC, if any, your system is using and apply =
the fixes to all vulnerable components on it. If there are no vulnerable =
components on the system, the patch will do nothing.
        I don't know if MDAC is installed. Do I need to determine that first =
before I apply the patch?
        No. The patch will determine what version of MDAC, if any, is installed 
=
on your system and apply the needed fixes.
Patch availability
        Download locations for this patch=20
*       The following patch can be installed on all affected platforms:
<http://www.microsoft.com/downloads/Release.asp?ReleaseID=3D44733>=20
 <<ole2.bmp>> Additional information about this patch=20
        Installation platforms:=20
        The patch can be installed on the following systems:=20
*       Windows 98 Gold.=20
*       Windows 98SE Gold=20
*       Windows Me Gold=20
*       Windows NT4 Service Pack 6a =
<http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6.a=
sp>=20
*       Windows 2000 Service Pack 2 =
<http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.=
asp> or Service Pack 3 =
<http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.=
asp>=20
        Inclusion in future service packs:
*       The fix for this issue will be included in the next service pack for =
MDAC 2.5. There will be no more service packs for MDAC 2.1 and MDAC 2.6. =

*       The fix will also be included in Internet Explorer 5.01 Service Pack 4 =
and Internet Explorer 6.0 Service Pack 2.=20
        Reboot needed:=20
*       Web servers: We recommend rebooting the server after installing the =
patch.=20
*       Web client: It is not necessary to reboot after installing the patch.=20
        Patch can be uninstalled: No.=20
        Superseded patches: None.=20
        Verifying patch installation:=20
*       Microsoft Knowledge Base article Q329414 =
<http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;Q329414> =
provides a file manifest that can be used to verify the patch =
installation.=20
        Caveats:
*       As discussed in the FAQ, the patch does not set the Kill Bit on the =
affected ActiveX control.=20
*       If, after applying the patch, an MDAC service pack that predates the =
patch is installed, the effect is to remove the patch. Moreover, because =
the patch files would still be on the system, Windows Update would not =
be able to detect that the patch files were not in use, and would not =
offer to reinstall the patch. Instead, the user would need to reinstall =
the patch manually after installing the service pack.=20
                        An example would be a users who have already patched 
their MDAC 2.5 =
machines. Then if they apply MDAC 2.5 Service Pack 2 over the already =
patched MDAC 2.5 machines, it's possible that there would be a =
regression, making it necessary for the users to reinstall this patch.=20
        Localization:
        Localized versions of this patch are available at the locations =
discussed in "Patch Availability".=20
        Obtaining other security patches:=20
        Patches for other security issues are available from the following =
locations:=20
*       Security patches are available from the Microsoft Download Center =
<http://www.microsoft.com/downloads/search.asp?Search=3DKeyword&Value=3D'=
security_patch'&OpSysID=3D1>, and can be most easily found by doing a =
keyword search for "security_patch".=20
*       Patches for consumer platforms are available from the WindowsUpdate =
<http://windowsupdate.microsoft.com/> web site=20
Other information:=20
        Acknowledgments=20
        Microsoft thanks  </technet/security/bulletin/policy.asp>Foundstone =
Research Labs <http://www.foundstone.com> for reporting this issue to us =
and working with us to protect customers.=20
        Support:=20
*       Microsoft Knowledge Base article Q329414 =
<http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;Q329414> =
discusses this issue. Knowledge Base articles can be found on the =
Microsoft Online Support =
<http://support.microsoft.com/?scid=3Dfh;en-us;kbhowto> web site.=20
*       Technical support is available from Microsoft Product Support Services =
<http://support.microsoft.com/directory/question.asp?sd=3Dgn&fr=3D0>. =
There is no charge for support calls associated with security patches.=20
        Security Resources: The Microsoft TechNet Security =
</technet/security/default.asp> Web Site provides additional information =
about security in Microsoft products.=20
        Disclaimer:=20
        The information provided in the Microsoft Knowledge Base is provided =
"as is" without warranty of any kind. Microsoft disclaims all =
warranties, either express or implied, including the warranties of =
merchantability and fitness for a particular purpose. In no event shall =
Microsoft Corporation or its suppliers be liable for any damages =
whatsoever including direct, indirect, incidental, consequential, loss =
of business profits or special damages, even if Microsoft Corporation or =
its suppliers have been advised of the possibility of such damages. Some =
states do not allow the exclusion or limitation of liability for =
consequential or incidental damages so the foregoing limitation may not =
apply.=20
        Revisions:=20
*       V1.0 (November 20, 2002): Bulletin Created.=20




-- No attachments (even text) are allowed --
-- Type: image/bmp
-- File: ole0.bmp
-- Desc: ole0.bmp


-- No attachments (even text) are allowed --
-- Type: image/bmp
-- File: ole1.bmp
-- Desc: ole1.bmp


-- No attachments (even text) are allowed --
-- Type: image/bmp
-- File: ole2.bmp
-- Desc: ole2.bmp



==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

Other related posts:

  • » [windows2000] Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)