Buffer Overrun Vulnerability in Microsoft Data Access Components (MDAC) - 01 Aug 2002

Reported July 31, 2002, by Microsoft.



  • Microsoft Data Access Components (MDAC) Versions 2.7, 2.6, and 2.5




A buffer overflow vulnerability exists in Microsoft Data Access Components (MDAC) that could result in the SQL service failing or executing arbitrary code from a potential attacker. This vulnerability results from an unchecked buffer in the MDAC functions that handle the OpenRowSet command. A potential attacker who submits a database query that contains a specially malformed parameter within a call to the T-SQL OpenRowSet command could exploit this vulnerability. Although MDAC ships as a component of all versions of Windows, this vulnerability can be exploited only on SQL servers.




The vendor, Microsoft, has released Security Bulletin MS02-040 to address this vulnerability and recommends that affected users the appropriate patch mentioned in the security bulletin.


Discovered by David Litchfield of Next Generation Security Software.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.