Windows NT and 2000 ship with vulnerable MDAC versions, but the vulnerability cannot be exploited on a default installation of a Windows 2000 web server because RDS is not enabled. Windows XP is not vulnerable because it contains MDAC 2.7.
CVE 1999-1011
A second vulnerability in msadcs.dll allows
arbitrary shell commands to be embedded in queries to
ODBC databases. These commands will be executed with
system_local privileges, giving an attacker complete control
of the system. MDAC 1.5 and 2.0 are affected by this
vulnerability. Higher versions could also be affected if
they were installed as upgrades to previous versions, or
if the RDS Sample Pages are installed.
To fix the problem, install patch Q329414. This patch is designed to fix the RDS buffer overflow on all platforms for both client and server applications. It is important to understand that this patch, while fixing the problem, cannot set the kill bit on the vulnerable ActiveX control, and thus cannot prevent a malicious web site from re-introducing a vulnerable version of the control. Furthermore, the installation of prior MDAC service packs can re-introduce the vulnerability, so the latest MDAC service pack should be applied before the patch is applied.
To fix the ODBC query shell command execution, upgrade to the latest version of MDAC, and ensure that it is running in safe mode. See Microsoft Security Bulletin 99-025 FAQ for more information.
For more information on the ODBC query vulnerability and alternate solutions, please refer to the Rain Forest Puppy advisory RFP9907 and Microsoft Security Bulletin 99-025.