MS03-033: Security Update for Microsoft Data Access Components http://support.microsoft.com/?kbid=823718 MDAC is a set of database connection tools found in most Microsoft applications. The patch provided with MS03-033 supersedes the one released last year (MS02-040), which originally blamed the problem on the Microsoft SQL Server OpenRowSet command. An attacker sending a malformed UDP packet to an unpatched system could gain complete control over the targeted system. Causing a bit of confusion, the e-mail bulletin for this revision mistakenly listed the original release date as July 31, 2003, instead of the actual July 31, 2002, date. The MDAC vulnerability affects: - Microsoft Data Access Components 2.5 - Microsoft Data Access Components 2.6 - Microsoft Data Access Components 2.7 Microsoft Data Access Components 2.8, installed by Windows Server 2003, is not affected. MDAC is installed by default with Windows Me, 2000, and XP, but it is often also installed on Windows NT 4 systems (as part of the Windows NT 4 Option Pack) or by Microsoft Access or SQL Server. Some components are even installed with Internet Explorer. Because MDAC code is also available as a stand-alone component, it may be found in virtually any Windows system, even older Windows 98 systems. Risk levelâ€”Critical The original MDAC vulnerability, as announced in MS02-040, was rated Critical. This revised patch, which affects far more systems, is rated only Important, despite the note that an exploit could lead to complete system compromise. Thus, I recommend that IT professionals take it very seriously.