=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN044
_____________________________________________________________________

DATE                      : 14/02/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows 2000, Windows XP, Windows Server 2003
                                  running Microsoft Data Access Components.

======================================================================

MS07-009 - Vulnerability in Microsoft Data Access Components Could Allow
            Remote Code Execution (927779)

Affected Software:
    - Microsoft Data Access Components 2.5 Service Pack 3 on Microsoft
      Windows 2000 Service Pack 4
    - Microsoft Data Access Components 2.8 Service Pack 1 on Microsoft
      Windows XP Service Pack 2
    - Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003
    - Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003
      for Itanium-based Systems

Non-Affected Software:
    - Microsoft Data Access Components 2.8 Service Pack 2 on Microsoft
      Windows XP Professional x64 Edition
    - Microsoft Data Access Components 2.8 Service Pack 2 on Microsoft
      Windows Server 2003 Service Pack 1
    - Microsoft Data Access Components 2.8 Service Pack 2 on Microsoft
      Windows Server 2003 with SP1 for Itanium-based Systems
    - Microsoft Data Access Components 2.8 Service Pack 2 on Microsoft
      Windows Server 2003 x64 Edition
    - Windows Data Access Components 6.0 on Windows Vista

Full MS07-008 advisory:
    http://www.microsoft.com/technet/security/Bulletin/ms07-009.mspx

Vulnerability Details

Microsoft Windows MDAC ActiveX Vulnerability - CVE-2006-5559:

    A remote code execution vulnerability exists in the ADODB.Connection
    ActiveX control that is provided as part of the ActiveX Data Objects
    (ADO) and that is distributed in MDAC. An attacker who successfully
    exploited this vulnerability could take complete control of an
    affected system.

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================