Vulnerability in ActiveX Data Objects

This morning, Microsoft's Security Response Center acknowledged the discovery of a vulnerability affecting its key ActiveX Data Objects database control, which is enrolled in COM under the handle ADODB.Connection. The vulnerability was apparently discovered by an independent researcher, and was brought to light by US-CERT and SecurityFocus.

ADO was designed to serve as a basic, no-frills sequential database access library that could be called using ordinary scripting languages. Prior to its initial release in the mid-1990s, the library was beta-tested for possible use with distributed Web applications, where a Web page containing a database control console could enable a user to access a database on his local system.

More practically, ADO was used for scripts and low-level language, and remains one of the most oft-used Windows controls for high-level language programmers in Windows to address Access databases.

The vulnerability is, once again, nothing very complex: Since calls placed to the ADO library are asynchronous, the calling program need not pause while awaiting a response. The exploit, whose JavaScript element is only six instructions long, simply crafts a series of erroneous instructions within a long loop clause, with a method at the end that invokes ADO's SQL parser. It cannot possibly parse these instructions, but again, the calling program need not wait for an answer before proceeding to the next call.

As US-CERT reports today, overloading the ADO control with false SQL statements could enable a malicious user to execute code remotely through Internet Explorer 6.0. No word has been given as to whether the vulnerability affects IE7.

Despite the library's title, "ActiveX Data Objects" is actually not directly related to ActiveX, the system of deploying interactive COM controls through Web pages in IE.

At least one beta tester discovered a form of this same vulnerability, in the context of a VBA macro, during the production of a book on Office 2000 macro development seven years ago.

17 Responses to Vulnerability in ActiveX Data Objects

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.