Results 1 to 5 of 5
  1. #1
    New Lounger
    Join Date
    Sep 2002
    Location
    Flatts, Bermuda
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    MS Security Bulletin (Office 2000 Premium SP3)

    The subject of this post is a recent MS Bulletin exposing a vulnerability in MDAC. I post this here (initially) as my reading suggests that MDAC is on my Win98SE system not as part of the OS but as part of the Office installation. Apologies if this is the incorrect forum. I have sent the following message to MS. In the meantime any input from lounge members would be of interest.

    I downloaded the patch described in Bulletin MS03-033. I tried to install it but this was rejected while determining the version of MDAC installed on my system. I have researched to the limit of my abilities.

    MS03-033 supercedes a July 2002 bulletin (MS02-040) on the same subject which I don't believe I installed. A similar patch was issued in November 2002 (MS02-065) which I did install but this is not referenced in the latest bulletin.

    My version of MDAC is 2.50.4403.9. I have downloaded the MDAC component checker which tells me that this installed version is closest to MDAC 2.5 RTM (2.50.4403.12).

    In revewing the dahotfix.log created by the hotfix, while I do not fully understand the script, it appears that the version checking consists of 2.52, 2.53, 2.62, 2.70 & 2.71. It seems likely that this is failing as I am using MDAC 2.50.

    I need to know the importance of this patch to my system - the bulletin classifies it IMPORTANT. Can you revise the patch to include the earlier versions of MDAC?

    Your help/advice will be helpful.

  2. #2
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts

    Re: MS Security Bulletin (Office 2000 Premium SP3)

    This extract from Microsoft Security Bulletin MS03-33<blockquote><hr>MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Due to a flaw in a specific MDAC component, an attacker could respond to this request with a specially crafted packet that could cause a buffer overflow.
    An attacker who successfully exploited this flaw could gain the same level of privileges over the system as the application that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions which the application using MDAC ran under. If the application ran with limited privileges, an attacker would be limited accordingly; however, if the application ran under the local system context, the attacker would have the same level of permissions. This could include creating, modifying, or deleting data on the system, or reconfiguring the system. This could also include reformatting the hard disk or running programs of the attacker

  3. #3
    New Lounger
    Join Date
    Sep 2002
    Location
    Flatts, Bermuda
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: MS Security Bulletin (Office 2000 Premium SP3)

    Thank you Hans for your reply. No I am not on a network and am unlikely to be affected by this. However, a part of me wants to patch up-to-date any software that is on my system. MDAC is there on account of Office 2000, I believe. Call me pedantic <img src=/S/exclamation.gif border=0 alt=exclamation width=15 height=15>.

    Would there be any adverse consequence to, say, installing MDAC 2.5 SP3 which should be close to the 2.50 version I have? If it's going to be more trouble than it's worth I'll leave it alone, but if it is plain sailing then it is a loose end tidied. I feel that if I move to a much later version then I may be moving away from compatibility with Win98SE and Office 2000.

  4. #4
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts

    Re: MS Security Bulletin (Office 2000 Premium SP3)

    I don't think it will hurt to try it, but I can't guarantee it - I have neither Windows 98 nor Office 2000.

  5. #5
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: MS Security Bulletin (Office 2000 Premium SP3)

    Peter

    I've installed MDAC 2.8 on my Windows XP boxes because, unlike MDAC 2.5, 2.6 and 2.7, it is not subject to the error for which the Security Alert was raised. See MS03-033: Security Update for Microsoft Data Access Components: "MDAC version 2.8 does not contain the flaw that this bulletin fixes.".

    But it is over a 5 MB download, which may concern you unless you have some form of broadband connection... You will observe that it supports/is supported on Windows 98 upwards.
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •