> ---------- > From: Microsoft Product Security[SMTP:secnotifat_private] > Sent: Monday, July 19, 1999 1:23 PM > To: MICROSOFT_SECURITYat_private > Subject: Microsoft Security Bulletin (MS99-025) > > The following is a Security Bulletin from the Microsoft Product Security > Notification Service. > > Please do not reply to this message, as it was sent from an unattended > mailbox. > ******************************** > > Microsoft Security Bulletin (MS99-025) > -------------------------------------- > > Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with > RDS > > Originally Released as MS98-004, July 17, 1998 > Re-Released as MS99-025, July 19, 1999 > > Preface > ======= > This bulletin is a re-release of Microsoft Security Bulletin MS98-004, > issued July 17, 1998. It has recently been brought to our attention that > this vulnerability has been used to gain unauthorized access to > Internet-connected systems that have not been updated as per the > instructions in MS98-004. The intent of re-releasing this bulletin is to > serve as a reminder about this vulnerability, to restate the threat, and > encourage system administrators to evaluate their systems to determine if > their systems have been correctly configured and updated to protect against > this vulnerability. > > Summary > ======= > Microsoft encourages the following actions be taken on systems that have > Microsoft(r) Internet Information Server 3.0 or 4.0 and Microsoft Data > Access Components 1.5, both of which are installed during a default > installation of the Windows NT(r) 4.0 Option pack: > - Install the latest version of MDAC (currently MDAC 2.1 SP2). > > However, simply upgrading from MDAC 1.5 to MDAC 2.0, or MDAC 2.1 is not > sufficient. For systems not explicitly utilizing RDS functionality, you > should also: > - Delete the /msdac virtual directory from the default Web site, or > - Apply registry settings that disable the DataFactory object. (See > the Q&A for the registry settings to adjust, or to download a .REG > file that can make the changes for you.) > > For systems implicitly utilizing RDS functionality, you should: > - Disable Anonymous Access for the /msadc directory in the default > Web site, and/or > - Create a Custom Handler to control or filter incoming requests. > (http://www.microsoft.com/Data/ado/rds/custhand.htm) > > If you do not complete these steps, unauthorized access as described below > may still be possible. > > Frequently asked questions regarding this vulnerability and updating > systems to protect against it can be found at > http://www.microsoft.com/security/bulletins/MS99-025faq.asp > > Issue > ===== > The RDS DataFactory object, a component of Microsoft Data Access Components > (MDAC), exposes unsafe methods. When installed on a system running Internet > Information Server 3.0 or 4.0, the DataFactory object may permit an > otherwise unauthorized web user to perform privileged actions, including: > - Allowing unauthorized users to execute shell commands on the > IIS system as a privileged user. > - On a multi-homed Internet-connected IIS system, using MDAC to > tunnel SQL and other ODBC data requests through the public connection > to a private back-end network. > - Allowing unauthorized accessing to secured, non-published files on > the IIS system. > > Affected Software Versions > ========================== > - Microsoft Internet Information Server 3.0 or 4.0 that have or > have had Microsoft Data Access Components 1.5 installed on it. > > NOTE: IIS can be installed as part of other Microsoft products like > Microsoft BackOffice and Microsoft Site Server. > > NOTE: MDAC 1.5 is installed during a default installation of the Windows NT > 4.0 Option Pack. > > Patch Availability > ================== > Newer versions of Microsoft Data Access Components (MDAC versions 2.0 and> > 2.1) resolve these known vulnerabilities. However, a system that had MDAC > 1.5 installed on it, and then upgraded to MDAC 2.0 or MDAC 2.1 must still > take actions to disable the DataFactory object. (See the Q&A for the > registry settings to adjust, or to download a .REG file that can make the > changes for you.) > > Current versions of Microsoft Data Access Components can be downloaded from > the following web site: > - Microsoft Data Access Download Site > (http://www.microsoft.com/data/download.htm) > > More Information > ================ > Please see the following references for more information related to this > issue. > - Microsoft Security Bulletin MS99-025: Frequently Asked Questions, > http://www.microsoft.com/security/bulletins/MS99-025faq.asp > - Microsoft Knowledge Base (KB) article Q184375, > Security Implications of RDS 1.5, IIS, and ODBC, > http://support.microsoft.com/support/kb/articles/q184/3/75.asp > - Microsoft Universal Data Access Download Page, > http://www.microsoft.com/data/download.htm > - Installing MDAC Q&A, > http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm > - Microsoft Security Advisor web site, > http://www.microsoft.com/security/default.asp > - IIS Security Checklist, > http://www.microsoft.com/security/products/iis/CheckList.asp > > Obtaining Support on this Issue > =============================== > Microsoft Data Access Components (MDAC) is a fully supported set of > technologies. If you require technical assistance with this issue, > please contact Microsoft Technical Support. For information on > contacting Microsoft Technical Support, please see > http://support.microsoft.com/support/contact/default.asp. > > Acknowledgments > =============== > Microsoft acknowledges Greg Gonzalez of ITE (http://www.infotechent.net) for > bringing additional information regarding this vulnerability to our > attention. Microsoft also acknowledges Russ Cooper (NTBugTraq) for his > assistance around this issue. > > Revisions > ========= > - July 19, 1999: Bulletin Created as re-release of MS98-004. > > ------------------------------------------------------------------------- > > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" > WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER > EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS > FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS > SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, > INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, > EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE > POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR > LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE > FOREGOING LIMITATION MAY NOT APPLY. > > (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. > > ******************************************************************* > You have received this e-mail bulletin as a result of your registration > to the Microsoft Product Security Notification Service. You may > unsubscribe from this e-mail notification service at any time by sending > an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private > The subject line and message body are not used in processing the request, > and can be anything you like. > > For more information on the Microsoft Security Notification Service > please visit http://www.microsoft.com/security/services/bulletin.asp. For > security-related information about Microsoft products, please visit the > Microsoft Security Advisor web site at http://www.microsoft.com/security. >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:42 PDT