MS Security Bulletin (Office 2000 Premium SP3)

Topic

New Reply

The subject of this post is a recent MS Bulletin exposing a vulnerability in MDAC. I post this here (initially) as my reading suggests that MDAC is on my Win98SE system not as part of the OS but as part of the Office installation. Apologies if this is the incorrect forum. I have sent the following message to MS. In the meantime any input from lounge members would be of interest.

I downloaded the patch described in Bulletin MS03-033. I tried to install it but this was rejected while determining the version of MDAC installed on my system. I have researched to the limit of my abilities.

MS03-033 supercedes a July 2002 bulletin (MS02-040) on the same subject which I don’t believe I installed. A similar patch was issued in November 2002 (MS02-065) which I did install but this is not referenced in the latest bulletin.

My version of MDAC is 2.50.4403.9. I have downloaded the MDAC component checker which tells me that this installed version is closest to MDAC 2.5 RTM (2.50.4403.12).

In revewing the dahotfix.log created by the hotfix, while I do not fully understand the script, it appears that the version checking consists of 2.52, 2.53, 2.62, 2.70 & 2.71. It seems likely that this is failing as I am using MDAC 2.50.

I need to know the importance of this patch to my system – the bulletin classifies it IMPORTANT. Can you revise the patch to include the earlier versions of MDAC?

Your help/advice will be helpful.

Reply | Quote

Replies

This extract from Microsoft Security Bulletin MS03-33

---

MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Due to a flaw in a specific MDAC component, an attacker could respond to this request with a specially crafted packet that could cause a buffer overflow.
An attacker who successfully exploited this flaw could gain the same level of privileges over the system as the application that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions which the application using MDAC ran under. If the application ran with limited privileges, an attacker would be limited accordingly; however, if the application ran under the local system context, the attacker would have the same level of permissions. This could include creating, modifying, or deleting data on the system, or reconfiguring the system. This could also include reformatting the hard disk or running programs of the attacker

Reply | Quote

Thank you Hans for your reply. No I am not on a network and am unlikely to be affected by this. However, a part of me wants to patch up-to-date any software that is on my system. MDAC is there on account of Office 2000, I believe. Call me pedantic .

Would there be any adverse consequence to, say, installing MDAC 2.5 SP3 which should be close to the 2.50 version I have? If it’s going to be more trouble than it’s worth I’ll leave it alone, but if it is plain sailing then it is a loose end tidied. I feel that if I move to a much later version then I may be moving away from compatibility with Win98SE and Office 2000.

Reply | Quote

I don’t think it will hurt to try it, but I can’t guarantee it – I have neither Windows 98 nor Office 2000.

Reply | Quote

Peter

I’ve installed MDAC 2.8 on my Windows XP boxes because, unlike MDAC 2.5, 2.6 and 2.7, it is not subject to the error for which the Security Alert was raised. See MS03-033: Security Update for Microsoft Data Access Components: “MDAC version 2.8 does not contain the flaw that this bulletin fixes.”.

But it is over a 5 MB download, which may concern you unless you have some form of broadband connection… You will observe that it supports/is supported on Windows 98 upwards.

Reply | Quote