Microsoft warns of security hole

Microsoft has issued a warning to developers that a data access component included with its Web server and development tools could be used to gain unauthorized access to corporate databases, and could potentially crash Windows NT-based servers.

The company posted a bulletin yesterday which describes how a malicious user could gain access, via the Internet, to data stored in Microsoft SQL Server and Access databases and possibly "bring down a server or otherwise severely affect its performance."

The problem affects Microsoft's Internet Information Server 4.0 Web server, Remote Data Services 1.5, and Visual Studio 6.0 development tool package.

A Microsoft product manager downplayed the significance of the hole and said so far no security breaches resulting from the hole have been reported.

"A client would need a couple of things to do any damage," said Karan Khanna, a product manager for Windows NT security. "You need to know SQL, the Web address, and passwords. If you follow good security policy, you are fairly immune to this thing," he said.

While successfully exploiting the hole does require "significant inside information," according to the Microsoft security bulletin, the company also warns that "the potential accessibility of this information should not be underestimated."

Microsoft also said that the risk of security vulnerability is even greater if companies have installed newer data access components included with Microsoft's Visual Studio 6.0 toolset.

Khanna said Microsoft initially issued the warning on April 22, and reissued the warning yesterday through a new security bulletin service aimed at large corporations.

The problem stems from a glitch involving a single component of Microsoft's Data Access Components (DAO), a set of data access tools that is installed by default when the company's Internet Information Server 4.0 is loaded onto Windows NT via the Windows NT Option Pack, Microsoft said.

The purpose of the DAO component, called Remote Data Service (RDS), is to allow "controlled" data access, via IIS, to remote data sources, Microsoft said. But, a part of RDS, called DataFactory, can be exploited to allow unauthorized Internet clients to enter data services connected to IIS.

That means that unauthorized users could, through a Web browser, gain access to corporate databases.

The newer components, the Microsoft DataShape Provider and Microsoft JET OLE DB provider, which ship with Visual Studio 6.0, could in combination with DataFactory allow Internet clients to execute shell commands that "could potentially bring down the server and severely affect its performance," Microsoft warns.

Microsoft recommends that companies not using the DataFactory remote access functions disable the feature. Disabling DataFactory involves editing the Windows NT registry, according to the company.

Also, the company said a newer version of RDS, included with Visual Studio 6.0, gives system administrators greater control over data access and could make it easier to safeguard servers. However, the new version of RDS must be correctly configured in order to be effective, the company warns.

Khanna said no "patch" will be issued to correct the known problem. "It's not so much an issue with the component, as it is with configuration of the server and the combination of components," he said.