Critical Buffer Overflow in Windows Clients & Servers
Microsoft has released security bulletin MS02-065 to address a very serious vulnerability affecting both Windows PCs and servers. A buffer overflow exists in Microsoft Data Access Components, which is installed on Windows XP, 2000, and Me by default and also comes with several applications for NT 4.0. By sending a malformed HTTP request to an IIS web server, or leading an IE user to a maliciously crafted site, an attacker could execute arbitrary code on a victim’s PC. A patch has been made available; Windows XP users are not affected by the vulnerability and do not need to download it. Also note that patched systems can still be exploited under limited circumstances – see the bulletin for more details. MS has also released a simplified advisory written with end-users in mind. We urge you to update your computer immediately – the fact that this vulnerability affects both client and server PCs could bring about attacks beyond the scale of last year’s Code Red and Nimda.
(N-Stalker Security Force)