Buffer Overrun Vulnerability in Microsoft Data Access Components (MDAC) - 01 Aug 2002

Reported July 31, 2002, by Microsoft.

VERSION AFFECTED

 

  • Microsoft Data Access Components (MDAC) Versions 2.7, 2.6, and 2.5

 

DESCRIPTION

 

A buffer overflow vulnerability exists in Microsoft Data Access Components (MDAC) that could result in the SQL service failing or executing arbitrary code from a potential attacker. This vulnerability results from an unchecked buffer in the MDAC functions that handle the OpenRowSet command. A potential attacker who submits a database query that contains a specially malformed parameter within a call to the T-SQL OpenRowSet command could exploit this vulnerability. Although MDAC ships as a component of all versions of Windows, this vulnerability can be exploited only on SQL servers.

 

VENDOR RESPONSE

 

The vendor, Microsoft, has released Security Bulletin MS02-040 to address this vulnerability and recommends that affected users the appropriate patch mentioned in the security bulletin.

 

CREDIT
Discovered by David Litchfield of Next Generation Security Software.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish