RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)

We just finished upgrading the version of MDAC on all servers to 2.7

One concern I have is that the MDAC version now shows up as version 2.7 GOLD when hfnetchk is run against an upgraded server. Further, there is a recommendation to upgrade to MDAC 2.7 sp1 which, as far as I can tell, cannot be downloaded from Microsoft's site.  

-----Original Message-----
From: Fraser Hugh [mailto:hugh_fraser@dofasco.ca] Sent: Thursday, November 28, 2002 7:38 AM To: 'Harris, Ken'; 'focus-ms@securityfocus.com' Subject: RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)

I have the same concerns with the message contained in the security bulletin. When I read between the lines, it seems to me that the "more permanent" solution referred to will be the one Microsoft already has in their back pocket... upgrade to 2.7. It is possible to prevent users from adding entries to the trusted publishers list, but when combined with removing Microsoft from the Trusted Publishers, it results in an unacceptable browser configuration for us.

We are, therefore, focusing our resources on a 2.7 upgrade for our systems.

I'd like to hear from others about their reaction/solution to the bulletin. While Microsoft categorizes the vulnerability as critical, our representative was surprised we were calling for any info about it. Apparently we were the only ones.

> -----Original Message-----
Received on Mon Dec 2 15:58:12 2002