News

Critical Vulnerability Affects Most Windows Systems

Microsoft warned users late Wednesday of a critical new vulnerability involving the Microsoft Data Access Components, a ubiquitous technology present on most Windows systems. Especially vulnerable are Web servers in the middle of three-tier architectures with a SQL Server database at the back end and most Internet Explorer users.

Microsoft also issued an unrelated cumulative patch for Internet Explorer.

The critical vulnerability is a buffer overrun involving Remote Data Services (RDS), a component of MDAC. Microsoft describes MDAC as providing underlying functionality for a number of database operations. An unchecked buffer in a function called the RDS Data Stub permits an attacker to use a specially malformed HTTP request to cause a heap overrun. A sophisticated attack could result in the attacker to execute code on the target machine.

"Web server administrators should either install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7, which is not affected by the vulnerability. Web client users should install the patch immediately on any system that is used for Web browsing," Microsoft's bulletin warns.

What makes the vulnerability especially serious for Internet Explorer is that the RDS Data Stub is included with all current versions of IE and there is no option to disable it. To exploit the vulnerability, an attacker would need to lure a user to a Web page that would send an HTTP reply to the user that would overrun the buffer.

A patch is available at www.microsoft.com/technet/security/bulletin/ms02-065.asp.

The separate cumulative Internet Explorer patch fixes six newly discovered vulnerabilities. It can be found at www.microsoft.com/technet/security/bulletin/ms02-066.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.