In-Depth
Vulnerabilities: IE Cross-Domain Security Flaw, Database Component Exposure
Microsoft releases a patch for IE 5.01 and above; company's Data Access Components could run hacker's code
Vulnerability: Critical Patch for IE Cross-Domain Security Flaw
Microsoft released a “critical” patch for Internet Explorer versions 5.01, 5.5, 6.0, and 6.0 for Windows Server 2003, warning of a flaw that could let an attacker run arbitrary code on a user’s PC. The patch is cumulative, fixing previously identified problems.
The latest vulnerability involves cross-domain security. If a user visits a Web site hosted by the attacker, the attacker could force the user’s computer to load code. Essentially, the attacker does a bait and switch, causing a file to be written to the browser cache, then using a malicious script to force-load that file in the “My Computer” zone. The attacker could also run code already present on a user’s machine, or look at files.
The patch also fixes an ActiveX control Microsoft no longer uses in Internet Explorer, the Windows Reporting Tool, which contains a security hole, as well as several other vulnerabilities.
Security Bulletins: http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
http://www.microsoft.com/security/security_bulletins/ms03-032.asp
Vulnerability: Microsoft Database Components
Microsoft warned of vulnerabilities in versions 2.5, 2.6, and 2.7 of its Microsoft Data Access Components (MDAC). Successful attacks could let an attacker run code of their choosing.
MDAC provides database connectivity on Windows. Microsoft says it is “likely to be present on most Windows systems.” By default, it’s included in Windows Me, XP, 2000, and Windows Server 2003. It’s also available for download in certain NT and SQL Server option packs.
MDAC supports a number of database operations, such as connecting to remote databases. Because of the way the software broadcasts its call for other network computers running SQL Server, an attacker could craft a packet that would cause a buffer overflow. As a result, the attacker could gain whichever privileges the application initiating the broadcast call has. Theoretically the attacker could get root access, then create, delete or alter data.
One mitigating factor, says Microsoft, is that the attacker must “simulate a SQL server on the same subnet as the target system.”
Security Bulletins: http://www.microsoft.com/technet/security/bulletin/MS03-033.asp
http://www.microsoft.com/security/security_bulletins/ms03-033.asp
About the Author
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.