The flaw discovered last week in Microsoft Data Access Components, a set of components used by Internet Information Services (IIS) Web server and Internet Explorer Web browser, are not to be ignored, but they aren't as serious as initially thought, experts say.
The vulnerability is not likely to fuel new viruses or worms, but it could be used for targeted attacks on vulnerable systems, experts said. The way it affects clients is also an area of concern.
Some experts predicted the vulnerability could be as serious as the one Nimda and Code Red exploited last year. All experts agree that users should patch their systems, because the vulnerability could allow attackers to run arbitrary code on systems.
While the vulnerability is serious in scope and theory, practically it probably won't be that serious, said Tim Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure enterprise-based accounting software. For example, Windows XP isn't affected by the vulnerability. "This means 43 million users are pulled out of the pool," he said.
Security-conscious IIS users probably don't have a lot to worry about because they would have removed the MDAC virtual directory a long time ago, said Brett Hill, a Microsoft certified IIS trainer.
MDAC comprises a host of utilities that systems use. The vulnerability is in just one piece, which is not used much. "It's like the 50th floor in a 100-story building," Hill said.
Many administrators have already shut down access to the 50th floor, the area of MDAC with the vulnerability. "While you may not use it, you still need the 50th floor," Hill said.
On the client side, there is the risk that an attacker sends an HTML e-mail or sets up a malicious Web site that takes advantage of the flaw. The latter scenario is unlikely, "as it's easy to track down an exploit on a Web site," Mullen said.
Even the exploit carried by an HTML e-mail isn't that dangerous. Both Outlook 98 and Outlook 2000 would be immune to the attack if they had security updates. Users of Outlook Express 6 and Outlook 2002 would be immune by default.
Creating a worm to take advantage of the vulnerability would require a lot of things to be in place for it to work. The vulnerability requires the Web server to have Remote Data Services (RDS) running. The vulnerability is in a function called the RDS Data Stub, which parses incoming HTTP requests and generates RDS commands.
Not many users are using RDS and, if they are, they may be using it internally, Mullen said.
Such a situation would imply that an attacker would need to know that and hence the attack would need to be more targeted. The biggest danger associated with the flaw is that someone can use it to attack a specific target, Mullen said.
At this point, there isn't a published way to exploit the vulnerability, which limits script kiddies' use of it. Eventually, however, someone will write an exploit for it. Even then, most virus writers will probably not use it, Mullen said.
"There are much easier things to do if you know enough about the client," Mullen said. "[With the flaw,] a lot of things have to be in place for it to work."