Microsoft reports security vulnerability in Windows and IE

November 21, 2002

Microsoft Corp. reported security vulnerability in most Windows systems could let a hacker take control of millions of personal computers and Web servers.

In its 65th security bulletin of the year, Microsoft yesterday urged users of Windows 2000, Millennium, 98 and NT 4.0 to download a security patch from the company's security web site. Microsoft's newest version, Windows XP, does not have the problem. The flaw is also present in all versions of Microsoft's Internet Explorer (IE) Web-browsing software.

Versions of the Windows operating system run more than 90 percent of the world's PCs. IE is used by 96 percent of those who browse the Internet, according to market researcher WebSideStory Inc.

Originally the flaw was discovered by security vendor Foundstone Inc., and was rated as "critical" because it could enable an attacker to gain control or run code of his or her choice on vulnerable systems.

The vulnerability resides in the Microsoft Data Access Components that enable Web servers and browsers to communicate with online databases, could be as widespread as the security holes that allowed the Code Red and Nimda worms to spread, said security experts of Foundstone. It can affect more than 4.1 million sites hosted on Microsoft's Internet Information Service (IIS) software.

Moreover, in its next 66th security bulletin Microsoft has released a patch for six Internet Explorer vulnerabilities. The most serious of those flaws could enable an attacker to execute commands on a user’s system.

Source: http://www.pcflank.com/news211102.htm

 

With respect to the MDAC vulnerability, see also discussion here:
http://www.dslreports.com/forum/remark,5073652~root=security,1~mode=flat