Several new and revised Microsoft security bulletins highlight this week's report because the vulnerabilities are rated Critical. MS03-032, a cumulative patch for Internet Explorer, also addresses some newly discovered vulnerabilities. MS03-032 includes patches for two vulnerabilities that can be exploited if users either visit a malicious Web site or open a specially crafted HTML e-mail. The other bulletin, MS03-033, relates to a collection of database access components called Microsoft Data Access Components (MDAC), which is found in many systems, either as shipped or as an upgrade.
MS03-032 includes all previous security patches for IE 5.01, IE 5.5, and IE 6.0. It also addresses two new vulnerabilities. The first is another cross-site security violation, where a malicious site could allow windows loading different Web sites to share information. This exploit would allow an attacker to run existing code on the vulnerable computer and could lead to information disclosure.
The other new threat addressed by MS03-032 is a failure to correctly determine object types. This vulnerability can be exploited if a user merely visits a malicious Web site or opens an HTML e-mail.
MDAC is a set of database connection tools found in most Microsoft applications. The patch provided with MS03-033 supersedes the one released last year (MS02-040), which originally blamed the problem on the Microsoft SQL Server OpenRowSet command. An attacker sending a malformed UDP packet to an unpatched system could gain complete control over the targeted system. Causing a bit of confusion, the e-mail bulletin for this revision mistakenly listed the original release date as July 31, 2003, instead of the actual July 31, 2002, date.
The Internet Explorer vulnerabilities affect:
- Internet Explorer 5.01
- Internet Explorer 5.5
- Internet Explorer 6.0
- Internet Explorer 6.0 for Windows Server 2003
The MDAC vulnerability affects:
- Microsoft Data Access Components 2.5
- Microsoft Data Access Components 2.6
- Microsoft Data Access Components 2.7
Microsoft Data Access Components 2.8, installed by Windows Server 2003, is not affected.
MDAC is installed by default with Windows Me, 2000, and XP, but it is often also installed on Windows NT 4 systems (as part of the Windows NT 4 Option Pack) or by Microsoft Access or SQL Server. Some components are even installed with Internet Explorer. Because MDAC code is also available as a stand-alone component, it may be found in virtually any Windows system, even older Windows 98 systems.
The original MDAC vulnerability, as announced in MS02-040, was rated Critical. This revised patch, which affects far more systems, is rated only Important, despite the note that an exploit could lead to complete system compromise. Thus, I recommend that IT professionals take it very seriously. The IE flaw is obviously a Critical flaw that involves a number of dangers and should be patched a soon as possible.
Download and install the patches from the two Microsoft security bulletins MS03-032 and MS03-033.
Since IE is in use in nearly all businesses, the new cumulative IE patch in MS03-032 will be important for most IT departments to deploy. Those affected by the MDAC flaw should also deploy it as soon as possible.
Also watch out for…
- Microsoft has released an update to MS03-030, a critical security bulletin in DirectX that was initially released on July 23, 2003. In this update, Microsoft has responded to customer demand and added support for additional versions of DirectX.
- The Welchia/Nachi patch worm, which tries to fix Blaster-vulnerable systems but eats up a massive amount of bandwidth, brought down the new $7 billion Navy/U.S. Marine intranet. This could trigger The Patriot Act, which can authorize the U.S. federal government to treat hackers as terrorists. If they can find the person or persons who spread this "friendly" worm, the subsequent publicity and trial should help put a stop to these misguided white hat hackers who think they can police the Internet by themselves.