twitter
facebook 
| ISA and MDAC Vulnerabilities Require Patches |
| Jan. 19, 2004 |
|
Security bulletins and patches have been issued for vulnerabilities in Internet Security and Acceleration (ISA) Server and the Microsoft Data Access Components (MDAC), a key component of the Windows OS. Both vulnerabilities could leave systems exposed to takeover by malicious code and require immediate corrective action, even if customers think it unlikely that a programmer could exploit these vulnerabilities. Critical ISA Vulnerability ISA Server is an enterprise-level firewall and Web cache server. The vulnerability is an unchecked buffer in the H.323 filter. Attackers who can exploit the vulnerability can run code of their choice in the security context of the Microsoft Firewall Service, effectively gaining full control of the server. The H.323 filter is an ISA Server component used to monitor and control traffic for IP telephony applications and to transfer data for applications, including whiteboard, file transfer, or remote desktop control, that use the H.323 and T.120 protocols. These protocols are used in Microsoft's Exchange Conferencing Server and NetMeeting client. The feature is enabled by default, even though it could be turned off by default to keep this product secure, per the "secure by default" recommendations in Microsoft’s Trustworthy Computing initiative. The list of affected Microsoft software includes not only ISA Server 2000 but also Small Business Server 2000 and Small Business Server 2003 Premium Edition, both of which include the affected version of ISA Server. A previous version of the server, Microsoft Proxy Server 2.0, is not affected. Until the available patch can be installed, customers could consider disabling the H.323 filter and blocking TCP port 1720 at a perimeter or gateway router. Using the workaround would mean that applications that use the H.323 protocol, such as NetMeeting, would no longer be able to communicate over the Internet. Important MDAC Vulnerability MDAC is a set of Windows components that enable database connectivity. These components provide the underlying functionality for a number of database operations, such as creating a list on a Windows client computer of all available SQL Servers or creating a connection to transfer data between a program and a SQL Server. The vulnerability is an unchecked buffer, which could overflow in such a way that an attacker could run code with the same privileges as the program or service using MDAC. This privilege level could vary, but because MDAC typically runs with a high degree of privilege, it could create a significant exposure to an exploit. This vulnerability is rated "important," rather than "critical," because an exploit would have to come from the same subnet and would require user intervention. Since the original version of MDAC on a given system may have changed over time (a variety of updates were available for download on the Microsoft Web site), a tool is available to help determine which version of MDAC is present on a system. The affected software includes the following:
There is one patch for all 32-bit versions of MDAC, but Windows Server 2003 64-bit Edition, which also includes MDAC 2.8, requires a 64-bit version of the patch. Until customers can install the available patch, they can use Windows TCP/IP filters on SQL Server computers to block UDP port 1434 from accepting inbound traffic. Using this workaround will protect the computer from any exploit, but SQL client systems would no longer be able to initiate SQL broadcast requests and the workaround could prevent connections to SQL Server. Resources For more information on the ISA vulnerability and the recommended patch, see www.microsoft.com/technet/security/bulletin/MS04-001.asp. For more information on the MDAC vulnerability and the recommended patch, see www.microsoft.com/technet/security/bulletin/MS04-003.asp. For help in determining which version of MDAC is on a computer, see support.microsoft.com/default.aspx?scid=kb;en-us;301202. |
