A critical buffer overflow vulnerability affecting Microsoft's Internet Information Services (IIS) Web server and Internet Explorer could leave companies open to Nimda-style attackers.
The flaw is in Microsoft Data Access Components, a collection of components that make it easy for programs to access databases and manipulate the data within them. It's used by IIS and Internet Explorer.
Microsoft and security experts are urging affected users to patch their systems as soon as possible. Web servers running Microsoft Data Access Components 2.1, Microsoft Data Access Components 2.5 and Microsoft Data Access Components 2.6 are affected. Several versions of the Windows operating system are also affected. Attackers exploiting the flaw could run code on a vulnerable machine. No exploits are known to exist, experts said.
"Clearly, this vulnerability is very serious, and Microsoft recommends that all customers whose systems could be affected by them take appropriate action immediately," the company said in an advisory released Wednesday.
Exploiting the flaw on the client side is more difficult than on the server side. Web surfers using Internet Explorer 5.01, 5.5 and 6, which use the data access component, could be affected if they visit a Web site set up to exploit the flaw. The issue doesn't affect Windows XP users. Systems using Outlook Express 6 and Outlook 2000 are safe if they are running default settings. People using other versions of the mail client may also be safe if they have run Outlook E-mail Security Update.
The vulnerability is the result of an unchecked buffer. An attacker can send a malformed HTTP request, which could allow the attacker's data to overrun onto the heap. The buffer overflow is a heap variety, which is harder to exploit than the more common stack kind.
Creating code to exploit the flaw, however, would take as much savvy as the authors of Code Red and Nimda displayed, said George Kurtz, CEO of Foundstone Inc., which alerted Microsoft to the flaw.
"This is very, very serious," Kurtz said, noting that companies should patch their systems as soon as possible. "We don't want this to become the next security tsunami."
So far, there isn't any known code taking advantage of the flaw, but this shouldn't make affected users complacent. The risks posed by the flaw can't be ignored, Kurtz said. Exploiting it both on the server and client side would allow attackers to gain control of affected systems.