Several new and revised Microsoft security bulletins highlight this week's report because the vulnerabilities are rated Critical. MS03-032, a cumulative patch for Internet Explorer, also addresses some newly discovered vulnerabilities. MS03-032 includes patches for two vulnerabilities that can be exploited if users either visit a malicious Web site or open a specially crafted HTML e-mail. The other bulletin, MS03-033, relates to a collection of database access components called Microsoft Data Access Components (MDAC), which is found in many systems, either as shipped or as an upgrade.
Details
MS03-032 includes all previous security patches for IE 5.01, IE 5.5, and IE 6.0. It also addresses two new vulnerabilities. The first is another cross-site security violation, where a malicious site could allow windows loading different Web sites to share information. This exploit would allow an attacker to run existing code on the vulnerable computer and could lead to information disclosure.
The other new threat addressed by MS03-032 is a failure to correctly determine object types. This vulnerability can be exploited if a user merely visits a malicious Web site or opens an HTML e-mail.
MDAC is a set of database connection tools found in most Microsoft applications. The patch provided with MS03-033 supersedes the one released last year (MS02-040), which originally blamed the problem on the Microsoft SQL Server OpenRowSet command. An attacker sending a malformed UDP packet to an unpatched system could gain complete control over the targeted system. Causing a bit of confusion, the e-mail bulletin for this revision mistakenly listed the original release date as July 31, 2003, instead of the actual July 31, 2002, date.
Applicability
The Internet Explorer vulnerabilities affect:
- Internet Explorer 5.01
- Internet Explorer 5.5
- Internet Explorer 6.0
- Internet Explorer 6.0 for Windows Server 2003
The MDAC vulnerability affects:
- Microsoft Data Access Components 2.5
- Microsoft Data Access Components 2.6
- Microsoft Data Access Components 2.7
Microsoft Data Access Components 2.8, installed by Windows Server 2003, is not affected.
MDAC is installed by default with Windows Me, 2000, and XP, but it is often also installed on Windows NT 4 systems (as part of the Windows NT 4 Option Pack) or by Microsoft Access or SQL Server. Some components are even installed with Internet Explorer. Because MDAC code is also available as a stand-alone component, it may be found in virtually any Windows system, even older Windows 98 systems.
Risk level—critical
The original MDAC vulnerability, as announced in MS02-040, was rated Critical. This revised patch, which affects far more systems, is rated only Important, despite the note that an exploit could lead to complete system compromise. Thus, I recommend that IT professionals take it very seriously. The IE flaw is obviously a Critical flaw that involves a number of dangers and should be patched a soon as possible.
Fix
Download and install the patches from the two Microsoft security bulletins MS03-032 and MS03-033.
Final word
Since IE is in use in nearly all businesses, the new cumulative IE patch in MS03-032 will be important for most IT departments to deploy. Those affected by the MDAC flaw should also deploy it as soon as possible.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2003 TechRepublic, Inc.
