MDAC Critical Security Hotfix

Microsoft Data Access Components (MDAC) are embedded in Windows 2000, Windows NT, Windows Me, and Windows 9x OSs. MDAC functions enable clients and servers to connect to, query, and return information stored in a remote database. In a typical three-tiered application environment, a client uses MDAC to query a Web server. The Web server processes the client query and uses MDAC functions to forward the query to the target database. In late November, Microsoft identified a critical security vulnerability in MDAC's remote query functions that affects clients and servers that operate in a three-layered application architecture. Microsoft Security Bulletin MS02-065 (Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution) states that this problem doesn't affect XP systems.

If you don't apply the MDAC hotfix, a malicious user can send an improperly formatted HTTP request to a Web server; the request overflows the server's buffer and lets the attacker run code in the context of the Microsoft IIS Web server (by default, IIS runs with System privileges). On the client side, this vulnerability lets a malicious Web site operator use the same buffer overrun technique to send a malformed request to a client and run code with the privileges of the logged-on user. The severity of this loophole on the client is based on the logged-on account's privileges. If the user is logged on as an Administrator, the buffer overrun code will run with full system privileges.

This vulnerability exists in all versions of MDAC earlier than version 2.7. The Microsoft article "Release Manifest for MDAC 2.7 Refresh (2.70.9001.0)" at http://www.microsoft.com/data/mdac27info/en/readmerefresh.htm describes the improvements and known bugs in version 2.7. You can download the most recent version of MDAC at http://www.microsoft.com/data/download_270rtm.htm. Be aware that when you upgrade MDAC, you should first back up the system disk. MDAC upgrades have no uninstallation option, so you can't easily roll back to the previous version if the update causes problems; you'll need to restore the system disk from a backup or, alternatively, refresh the system disk with your standard desktop or server image.

To determine the MDAC version on a system, check the version number of two files—msadcs.dll and msadco.dll—in the program filescommon filessystemmsadc directory. Both files are protected system files that are also stored in %systemroot%system32dllcache. On my Win2K Service Pack 3 (SP3) and SP2 systems, both files have the same version number—2.53.6200.0—and thus are vulnerable to this exploit. Even if you don't support a Web server that queries a remote database on a client's behalf, you should apply this hotfix to all systems that browse Internet Web sites.

You can install this patch at Windows Update (http://v4.windowsupdate.microsoft.com/en/default.asp). Windows Update includes this hotfix in the "Critical Updates and Service Packs" section and displays this fix as Q329414:Security Update (MDAC 2.5) Don't be misled by the title; this fix applies to all older versions of MDAC. You can manually download the MDAC hotfix at http://www.microsoft.com/downloads/release.asp?releaseid=44733. The download file, q329414_mdacall_x86.exe, updates vulnerable MDAC components on all affected platforms, including legacy systems. To start the update, double-click the download file. If you want to examine the individual files and create a script to update multiple systems, you can use the standard hotfix command-line options to install the hotfix, or you can first extract the component files, then apply the hotfix.

Extract individual hotfix files to a temporary directory by typing

q329515_mdacall_x86.exe /t: /c 

This patch uses dahotfix.exe as the installer, and Dahotfix understands the standard hotfix command-line options, including /q for quiet, /c to extract, /t to specify the directory to store extracted files, and /n to disable the automatic reboot. When you use Dahotfix to apply the hotfix, the installer displays a window that describes the hotfix and prompts you to click OK to continue or Cancel to exit.

The security bulletin states that you should reboot Web servers after you install the hotfix but that you don't need to reboot clients. I strongly recommend you reboot all systems after you apply the hotfix because both hotfix files, msadco.dll and msadcs.dll, are protected system files (stored in %systemroot%system32dllcache). When you replace files in the system cache, you must reboot to overwrite earlier versions with the versions contained in the hotfix. For more information about which libraries this hotfix updates, see the Microsoft article "MS02-065: Buffer Overrun in Microsoft Data Access Components Can Lead to Code Execution (MDAC 2.6)" at http://support.microsoft.com/?kbid=329414. The article title is misleading because this vulnerability affects all earlier versions of MDAC, as far back as version 2.1. The earliest versions will most likely exist only on legacy Win9x platforms.