Re: Microsoft Security Bulletin (MS99-025)

[HorsfallWA () CORNING COM (Horsfall, William A)]

> ----------
> From:         Microsoft Product Security[SMTP:secnotif () MICROSOFT COM]
> Sent:         Monday, July 19, 1999 1:23 PM
> To:   MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
> Subject:      Microsoft Security Bulletin (MS99-025)
>
> The following is a Security  Bulletin from the Microsoft Product Security
> Notification Service.
>
> Please do not  reply to this message,  as it was sent  from an unattended
> mailbox.
>                     ********************************
>
> Microsoft Security Bulletin (MS99-025)
> --------------------------------------
>
> Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with
> RDS
>
> Originally Released as MS98-004, July 17, 1998
> Re-Released as MS99-025, July 19, 1999
>
> Preface
> =======
> This bulletin is a re-release of Microsoft Security Bulletin MS98-004,
> issued July 17, 1998. It  has recently been brought to our attention that
> this vulnerability has been used to gain  unauthorized access to
> Internet-connected systems that have not been updated as per the
> instructions in MS98-004. The intent of re-releasing this bulletin is to
> serve as a reminder  about this vulnerability, to restate the threat, and
> encourage system administrators to evaluate  their systems to determine if
> their systems have been correctly configured and updated to protect  against
> this vulnerability.
>
> Summary
> =======
> Microsoft encourages the following actions be taken on systems that have
> Microsoft(r) Internet  Information Server 3.0 or 4.0 and Microsoft Data
> Access Components 1.5, both of which are  installed during a default
> installation of the Windows NT(r) 4.0 Option pack:
>  - Install the latest version of MDAC (currently MDAC 2.1 SP2).
>
> However, simply upgrading from MDAC 1.5 to MDAC 2.0, or MDAC 2.1 is not
> sufficient. For systems  not explicitly utilizing RDS functionality, you
> should also:
>  - Delete the /msdac virtual directory from the default Web site, or
>  - Apply registry settings that disable the DataFactory object. (See
>    the Q&A for the registry settings to adjust, or to download a .REG
>    file that can make the changes for you.)
>
> For systems implicitly utilizing RDS functionality, you should:
>  - Disable Anonymous Access for the /msadc directory in the default
>    Web site, and/or
>  - Create a Custom Handler to control or filter incoming requests.
>    (http://www.microsoft.com/Data/ado/rds/custhand.htm)
>
> If you do not complete these steps, unauthorized access as described below
> may still be possible.
>
> Frequently asked questions regarding this vulnerability and updating
> systems to protect against it can be found at
> http://www.microsoft.com/security/bulletins/MS99-025faq.asp
>
> Issue
> =====
> The RDS DataFactory object, a component of Microsoft Data Access Components
> (MDAC), exposes  unsafe methods. When installed on a system running Internet
> Information Server 3.0 or 4.0, the  DataFactory object may permit an
> otherwise unauthorized web user to perform privileged actions,  including:
>  - Allowing unauthorized users to execute shell commands on the
>    IIS system as a privileged user.
>  - On a multi-homed Internet-connected IIS system, using MDAC to
>    tunnel SQL and other ODBC data requests through the public connection
>    to a private back-end network.
>  - Allowing unauthorized accessing to secured, non-published files on
>    the IIS system.
>
> Affected Software Versions
> ==========================
>  - Microsoft Internet Information Server 3.0 or 4.0 that have or
>    have had Microsoft Data Access Components 1.5 installed on it.
>
> NOTE: IIS can be installed as part of other Microsoft products like
> Microsoft BackOffice and  Microsoft Site Server.
>
> NOTE: MDAC 1.5 is installed during a default installation of the Windows NT
> 4.0 Option Pack.
>
> Patch Availability
> ==================
> Newer versions of Microsoft Data Access Components (MDAC versions 2.0 and>
> 2.1) resolve these  known vulnerabilities. However, a system that had MDAC
> 1.5 installed on it, and then upgraded to  MDAC 2.0 or MDAC 2.1 must still
> take actions to disable the DataFactory object. (See the Q&A for  the
> registry settings to adjust, or to download a .REG file that can make the
> changes for you.)
>
> Current versions of Microsoft Data Access Components can be downloaded from
> the following web  site:
>  - Microsoft Data Access Download Site
>    (http://www.microsoft.com/data/download.htm)
>
> More Information
> ================
> Please see the following references for more information related to this
> issue.
>  - Microsoft Security Bulletin MS99-025: Frequently Asked Questions,
>    http://www.microsoft.com/security/bulletins/MS99-025faq.asp
>  - Microsoft Knowledge Base (KB) article Q184375,
>    Security Implications of RDS 1.5, IIS, and ODBC,
>    http://support.microsoft.com/support/kb/articles/q184/3/75.asp
>  - Microsoft Universal Data Access Download Page,
>    http://www.microsoft.com/data/download.htm
>  - Installing MDAC Q&A,
>    http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm
>  - Microsoft Security Advisor web site,
>    http://www.microsoft.com/security/default.asp
>  - IIS Security Checklist,
>    http://www.microsoft.com/security/products/iis/CheckList.asp
>
> Obtaining Support on this Issue
> ===============================
> Microsoft Data Access Components (MDAC) is a fully supported set of
> technologies. If you require technical assistance with this issue,
> please contact Microsoft Technical Support. For information on
> contacting Microsoft Technical Support, please see
> http://support.microsoft.com/support/contact/default.asp.
>
> Acknowledgments
> ===============
> Microsoft acknowledges Greg Gonzalez of ITE (http://www.infotechent.net) for
> bringing additional  information regarding this vulnerability to our
> attention. Microsoft also acknowledges Russ  Cooper (NTBugTraq) for his
> assistance around this issue.
>
> Revisions
> =========
>  - July 19, 1999: Bulletin Created as re-release of MS98-004.
>
> -------------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
> WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
> INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
> EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING  LIMITATION MAY NOT APPLY.
>
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
>
>    *******************************************************************
> You have received  this e-mail bulletin as a result  of your registration
> to  the   Microsoft  Product  Security  Notification   Service.  You  may
> unsubscribe from this e-mail notification  service at any time by sending
> an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
> The subject line and message body are not used in processing the request,
> and can be anything you like.
>
> For  more  information on  the  Microsoft  Security Notification  Service
> please visit http://www.microsoft.com/security/services/bulletin.asp. For
> security-related information  about Microsoft products, please  visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.