Microsoft has warned users of a critical vulnerability in a component of its Internet Security and Acceleration (ISA) Server used to control internet protocol telephony traffic.
Three bulletins were posted on Microsoft's website yesterday, including lower-priority patches for Exchange Server 2003 and the Microsoft Data Access Components (MDAC), which is used by certain versions of Windows and Microsoft SQL Server.
H.323 is a protocol that is used by IP telephony applications to send audio and video over IP networks. A buffer overflow in a filter for the H.323 data packets, which is part of ISA Server 2000, could enable a malicious hacker to run their own code on vulnerable servers, which would, potentially, grant them total control over the system. Attackers would have to send a special H.323 packet that was designed to trigger the overflow.
Microsoft was just one of many companies that issued warnings about the H.323 vulnerability. Cisco Systems also issued software patches for versions of the Internetwork Operating System (IOS) which contained the vulnerability. (See https://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.)
Attackers would not necessarily have to use voice over IP to trigger the security hole, as long as the vulnerable service was enabled and listening for incoming H.323 traffic, said Network Associates virus research manager Craig Schmugar.
A buffer overrun in a number of versions of MDAC, which support database operations in Windows and SQL Server, was also patched.
Attackers who successfully trigger the security hole, which Microsoft rated "important," could potentially elevate their level of permission on the vulnerable system to the same level as the user running the application that uses MDAC, Microsoft said. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/winjan04.asp.)
A third security patch for Exchange Server 2003 was rated "moderate" and fixes a flaw that could allow Outlook Web Access users to view the contents of other e-mail boxes on the Exchange server, Microsoft said. To take advantage of the security hole, attackers would need a valid Exchange 2003 account. Attackers would not be able to select which e-mail box they view. (See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/excjan04.asp.)
The releases continue Microsoft's new policy of issuing monthly security updates for customers.
While there are no known exploits for any of the security holes Microsoft patched Tuesday, a fix for at least one actively exploited flaw in Internet Explorer was missing from the batch of patches, Schmugar said.
That vulnerability, commonly referred to as the "0x01 exploit" allows attackers to display a different web address in Internet Explorer's Address field a from the actual location of the web page being displayed. The problem is being exploited by online scam artists in "phishing" scams to harvest online account and personal identification information.
"It's hard to say why they haven't patched that yet. But as [the Internet Explorer exploit] becomes even hotter and is exploited more, I think you'll likely see a patch for that, also," Schmugar said.
Microsoft has, reportedly, patched the problem in Windows XP Service Pack 2 and may well be using the release of that software upgrade to address the problem, said Thor Larholm of security company PivX Solutions.
Paul Roberts writes for IDG News Service