Redmond, WA — As Mike Ricciuti reported for CNET NEWS.COM, Microsoft has released a warning to developers that a data access component included with the company’s Web server and development tools could be used to gain unauthorized access to corporate databases, and could crash Windows NT-based servers.
The company has posted a bulletin which describes how a malicious user could gain access via the Internet to data stored in Microsoft SQL Server and Access databases and possibly “bring down a server or otherwise severely affect its performance.”
The problem affects Microsoft’s Internet Information Server 4.0 Web server, Remote Data Services 1.5, and Visual Studio 6.0 development tool package. A Microsoft product manager downplayed the significance of the hole and said so far no security breaches resulting from the hole have been reported.
“A client would need a couple of things to do any damage,” said Karan Khanna, a product manager for Windows NT security. “You need to know SQL, the Web address, and passwords. If you follow good security policy, you are fairly immune to this thing,” he said.
While taking advantage of the hole does require “significant inside information,” according to the Microsoft security bulletin, the company also warns that “the potential accessibility of this information should not be underestimated.”
Microsoft also said that the risk of security vulnerability is greater still if companies have installed newer data access components included with Microsoft’s Visual Studio 6.0 toolset.
Khanna said Microsoft initially issued the warning on April 22, and subsequently re-issued the warning through a new security bulletin service aimed at large corporations.
The problem stems from a glitch involving a single component of Microsoft’s Data Access Components (DAO), a set of data access tools that is installed by default when Internet Information Server 4.0 is loaded onto Windows NT via the Windows NT Option Pack, Microsoft said.
The point of the DAO component, called Remote Data Service (RDS), is to enable “controlled” data access, via IIS, to remote data sources, Microsoft said. But, a part of RDS, called DataFactory, can be exploited to allow unauthorized Internet clients to enter data services connected to IIS. That means that unauthorized users could, through a Web browser, gain access to corporate databases.
The newer components, the Microsoft DataShape Provider and Microsoft JET OLE DB provider, which ship with Visual Studio 6.0, could in combination with DataFactory allow Internet clients to execute shell commands that “could potentially bring down the server and severely affect its performance,” Microsoft warns.
Microsoft recommends that companies not using the DataFactory remote access functions disable the feature. Disabling DataFactory involves editing the Windows NT registry, according to the company.
Also, the company said a newer version of RDS, included with Visual Studio 6.0, gives system administrators greater control over data access and could make it easier to safeguard servers. However, the new version of RDS must be correctly configured in order to be effective, the company warns.
Khanna said no “patch” will be issued to correct the known problem. “It’s not so much an issue with the component, as it is with configuration of the server and the combination of components,” he said.