SUMMARY
After the release of this bulletin, it was
determined that the vulnerability that is addressed is not with the
OpenRowSet command. The
OpenRowSet command is a Microsoft SQL Server command. Instead, the vulnerability is
with the underlying MDAC component Open Database Connectivity (ODBC). OBDC is
present in all versions of Windows. Additionally, the original security patch that released
with this did not install correctly on some systems because of a flaw in the
way that Microsoft Windows Installer updated the Windows File Protection cache.
The bulletin has been updated to include this additional information, and to
direct users to an updated security patch.
Microsoft Data Access Components
(MDAC) is a collection of components that is used to provide database
connectivity on Microsoft Windows operating systems. MDAC is a ubiquitous
technology, and it is likely to be present on most Windows systems.
By default, MDAC is included as part of Microsoft Windows XP,
Microsoft Windows 2000, and Microsoft Windows Millennium Edition (Me). A number
of other products and technologies also include or install MDAC. For example,
the Microsoft Windows NT 4.0 Option Pack and Microsoft SQL Server 2000 both
include MDAC, and some MDAC components are present as part of Microsoft
Internet Explorer even if MDAC itself is not installed. MDAC is also available
as a stand-alone technology. To download MDAC, visit the following Microsoft
Web site:
MDAC provides the underlying functionality for a number
of database operations, such as connecting to remote databases and returning
data to a client. Specifically, it is the MDAC component known as Open Database
Connectivity (ODBC) that provides this functionality.
A security
vulnerability results because one of the ODBC functions in MDAC that is used to
connect to data sources contains an unchecked buffer. An attacker can seek to
exploit the vulnerability by constructing a Web page that, when visited by the
user, can execute code of the attacker's choice with the credentials of the user.
The Web page can be hosted on a Web site or sent directly to the user in an
e-mail message.
In the case of a system that is running SQL Server,
an attacker can seek to exploit this vulnerability by using the Transact-SQL
OpenRowSet command. An attacker who submits a database query that contains a
specially-malformed parameter in a call to
OpenRowSet might overrun the
buffer, either to cause the computer that is running SQL Server to fail, or to
cause the computer that is running SQL Server to take actions that are dictated
by the attacker.
The mitigating factors are as follows:
- Users who read e-mail messages as plain text must
take an action before an attacker can exploit the vulnerability.
- Systems that are configured to disable active scripting in
Internet Explorer are not affected by this vulnerability.
- In the Web-based attack scenario, a user must
visit a malicious Web site that is under the control of an attacker. An attacker cannot force users to visit a malicious Web site outside the HTML
e-mail vector. Instead, an attacker must lure users to the Web site, typically by
getting the user to click a link that takes them to the Web site of the attacker.
- The credentials that are gained through a successful attack
would be equal to those of the application under which ODBC is running. Most
of the time, an attacker gains only the same level of credentials that the user logged in with.
- By default, Outlook Express 6.0 and Outlook 2002 open HTML
mail in the Restricted Sites Zone. Additionally, Outlook 98 and 2000 open HTML
mail in the Restricted Sites Zone if the Outlook Email Security Update has been
installed. Customers who use any of these products would be at no risk from an
e-mail borne attack that tried to exploit this vulnerability unless the
user clicked a malicious link in the e-mail.
MORE INFORMATION
Download information
Note The following links reflect the new security patch,
MS03-033. The
following file is available for download from the Microsoft Download
Center:
Download
the Microsoft Data Access Components (MDAC) Security Patch MS03-033 package
now. Release Date: 20
August 2003
For additional information about how to download
Microsoft Support files, click the following article number to view the article
in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
Prerequisites
You must be running one of the following versions of MDAC:
- MDAC 2.5
- MDAC 2.6
- MDAC 2.7
Other versions of MDAC, including MDAC 2.8, are not affected by
this vulnerability.
Note These updates apply to all applicable languages.
Installation options
You must restart your computer after you apply this update. This
update supports the following Setup switches:
Switch Description
-------------------------------------------------------------------------
/? Displays the list of installation switches
/Q Quiet mode
/T:<full path> Specifies the temporary working folder
/C Extract files only to the folder when it is used with /T
/C:<Cmd> Override Install Command that author defines
/N No restart dialog box
For example, the following command-line command installs the
update without any user intervention and suppresses a
restart:
Q823718_MDAC_SecurityPatch /C:"dahotfix.exe /q /n"
/qThe
/q switch that is specified for dahotfix.exe is for a silent
install and the
/n switch suppresses a restart.
Warning Your computer is vulnerable until you restart it.
Restart requirement
You must restart your computer after you apply this update.
Removal information
This security patch cannot be removed after it has been installed.
Security patch replacement information
This security patch has been replaced with the security patch
that is provided in Microsoft Security Bulletin MS03-033. For more information
about Microsoft Security Bulletin MS03-033, visit the following Microsoft Web
site:
For additional information about Microsoft Security
Bulletin MS03-033, click the following article number to view the article in
the Microsoft Knowledge Base:
823718
MS03-033: Security Update for Microsoft Data Access Components
File information
The English version of this security patch has the file
attributes (or later) that are listed in the following table. The dates and
times for these files are listed in coordinated universal time (UTC). When you
view the file information, it is converted to local time. To find the
difference between UTC and local time, use the
Time Zone tab
in the Date and Time tool in Control Panel.
MDAC 2.5 Service Pack 2
Date Time Version Size File name
--------------------------------------------------------------
23-Jul-2003 20:56 3.520.6100.40 212,992 Odbc32.dll
21-Jul-2003 22:24 3.70.11.40 24,848 Odbcbcp.dll
23-Jul-2003 02:29 3.520.6100.40 102,672 Odbccp32.dll
21-Jul-2003 22:24 3.70.11.40 524,560 Sqlsrv32.dll
MDAC 2.5 Service Pack 3
Date Time Version Size File name
--------------------------------------------------------------
24-Jul-2003 00:13 3.520.6300.40 212,992 Odbc32.dll
21-Jul-2003 22:24 3.70.11.40 24,848 Odbcbcp.dll
24-Jul-2003 00:11 3.520.6300.40 102,672 Odbccp32.dll
21-Jul-2003 22:24 3.70.11.40 524,560 Sqlsrv32.dll
MDAC 2.6 Service Pack 2
Date Time Version Size File name
--------------------------------------------------------------
21-Jul-2003 17:28 2000.80.746.0 86,588 Dbnetlib.dll
22-Jul-2003 22:04 3.520.7501.40 217,360 Odbc32.dll
21-Jul-2003 17:28 2000.80.746.0 29,252 Odbcbcp.dll
22-Jul-2003 22:04 3.520.7501.40 102,672 Odbccp32.dll
31-Jul-2003 23:07 2000.80.746.0 479,800 Sqloledb.dll
21-Jul-2003 17:28 2000.80.746.0 455,236 Sqlsrv32.dll
MDAC 2.7 RTM
Date Time Version Size File name
--------------------------------------------------------------
31-Jul-2003 17:49 2000.81.9001.40 61,440 Dbnetlib.dll
22-Jul-2003 23:04 3.520.9001.40 204,800 Odbc32.dll
22-Jul-2003 23:10 2000.81.9001.40 24,576 Odbcbcp.dll
22-Jul-2003 23:10 3.520.9001.40 94,208 Odbccp32.dll
31-Jul-2003 17:49 2000.81.9001.40 450,560 Sqloledb.dll
22-Jul-2003 23:08 2000.81.9001.40 356,352 Sqlsrv32.dll
MDAC 2.7 Service Pack 1
Date Time Version Size File name
--------------------------------------------------------------
22-Jul-2003 18:27 2000.81.9041.40 61,440 Dbnetlib.dll
22-Jul-2003 18:22 3.520.9041.40 204,800 Odbc32.dll
22-Jul-2003 18:28 2000.81.9041.40 24,576 Odbcbcp.dll
22-Jul-2003 18:28 3.520.9041.40 98,304 Odbccp32.dll
31-Jul-2003 18:47 2000.81.9041.40 471,040 Sqloledb.dll
22-Jul-2003 18:27 2000.81.9041.40 385,024 Sqlsrv32.dll
Verification
Make sure that you have the correct versions of the files that are
listed in this article.