Microsoft Data Access Components

MDAC, or Microsoft Data Access Components is a Microsoft architecture for providing access to information across an enterprise. It is made up of various components: Active X Data Objects (ADO), OLE DB, and Open Database Connectivity (ODBC). The current version is 2.8, but the product has had many different versions and many of its components have been depreciated and replaced by newer Microsoft technologies.

Current components

ADO

ADOMD

ADOX

OLE DB

SQLOLEDB

Microsoft SQL Server Network Libraries

ODBC

SQLODBC

Deprecated components

Jet

MSDASQL

Oracle ODBC

RDS

JRO

SQL XML

History

MDAC 1.0

MDAC 1.0 was first released in August 1996 ^[1]. According to Microsoft, "MDAC 1.0 existed more as concept than a coordinated, stand-alone setup program." The MDAC 1.0 stack consisted of ODBC 3.0, OLE DB 1.1, ADO 1.0, and the Advanced Data Connector (ADC) 1.0 — which according to Microsoft was the "precursor to the Remote Data Service of MDAC 1.5". It also included ODBC drivers for Access/Jet, SQL Server and Oracle databases. MDAC 1.0 was released via several mechanisms: the Advanced Data Connector shipped with Internet Information Server (IIS) 3.0 and as a downloadable cab file; OLE DB 1.1 and ADO 1.0 shipped with the OLE DB 1.1 SDK, which came with Visual Studio 97 and was also downloadable ^[2]. MDAC 1.0 came with Active Server Pages, that itself came in IIS 3.0, and also came with Visual InterDev 1.0 ^[3].

MDAC 1.5

MDAC 1.5 was released between September 1997 and March 1998, and involved a more centralised distribution mechanism than MDAC 1.0. It was released with with Microsoft Internet Explorer 4.0 and the Internet Client SDK 4.0 and through a CD-ROM given out at the 1997 Professional Developers Conference (PDC). MDAC 1.5a was downloadable from Microsoft's website, MDAC 1.5b came with Windows NT 4.0 Option Pack and MDAC 1.5c — which fixed issues with ADO threading and ODBC Connection Pooling — could be downloaded and came with only the ADO/MDAC runtime components. MDAC 1.5d came included with Windows 98 and Internet Explorer 4.01 service pack 1. ^[4] MDAC 1.5 consisted of ODBC 3.5, OLE DB 1.5, ADO 1.5, and the Remote Data Service 1.5, which superceded the Advanced Data Connector. ^[5] This version of the MDAC had a security flaw that made it vulnerable to a escalated privileges attack, whereby systems with both IIS and MDAC installed an otherwise unauthorized web user was able to perform execute shell commands on the IIS system as a privileged user, use MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network when on a multi-homed Internet-connected IIS system, and gain unauthorized access to secured, non-published files on the IIS system ^[6]

MDAC 2.0

MDAC 2.0 was distributed with the Data Access 2.0 SDK and included the contents of MDAC 1.5, the ODBC 3.5 SDK and the OLE DB 1.5 SDK, and the OLE DB for OLAP Specification; it also had included many updates to the core product ^[7], including a security feature added to the RDS which prevented it from being used maliciously an IIS server ^[8]. This version came included in Windows NT 4.0 SP4, ^[9] and also with Visual Studio 6.0, which came with the full Data Access SDK ^[10].

MDAC 2.1

MDAC 2.1 was distributed with SQL Server 7.0 and SQL Server 6.5 SP5; MDAC 2.1 SP1 was distributed with Internet Explorer 5; MDAC 2.1 SP1a (GA) was distributed with Microsoft Office 2000, BackOffice 4.5 and Visual Studio 98 SP3; however, none of these versions of MDAC were released to the general public via the world wide web. MDAC 2.1 SP2 was distributed from Microsoft's website. The components that were included with 2.1 were: ADO 2.1; RDS 2.1; OLE DB 2.1; the OLE DB Provider for ODBC, SQL Server and Oracle; Jet and Replication Objects (JRO) 2.1; an ODBC driver; a Jet driver and RDO ^[11].

This version had a security vulnerabilities whereby an unchecked buffer could allow an elevated priviledges attack. This was found some time later and it affected MDAC 2.1, 2.5 and 2.6 and was addressed in a later patch ^[12]

MDAC 2.5

MDAC 2.5 was released on February 17, 2000 and distributed with Windows 2000, and the MDAC service packs were released in parallel with the Windows 2000 service packs. They were also distributed through Microsoft's website. Three service packs were released. The components that were included with 2. 5 were: ADO 2.5; ADO Multi-dimension (ADO MD) 2.5; Active Directory ADO (ADOX) 2.5; RDS 2.5; OLE DB 2.5; OLE DB Provider for the ODBC driver for SQL Server, Site Server Search, Internet Publishing, Jet 4.0 (Access 2000), Oracle, Indexing Services (Index Server), Microsoft Data Shaping Services, OLAP Services, DTS Packages, Microsoft Directory Services, SQL Server DTS Flat File, OLE DB Simple Provider; JRO 2.5; ODBC 3.51; an ODBC driver for Microsoft Access, SQL Server, Microsoft Excel, Text, Visual FoxPro, FoxPro VFP, dBase, dBase VFP, Paradox and Oracle; Jet drivers for Excel, Microsoft Exchange, Access, text files, Lotus 1-2-3, Pardox and xBase ^[13].

Several issues were found in this version of MDAC. When using OLE DB Session Pooling, Microsoft COM+ would try to continuously load and unload ODL DB, and a conflict could arise that caused the OLE DB Session Pooling to run at 100% CPU usage. This was later fixed. ^[14] Microsoft published a full list of bugs fixed in MDAC 2.5 Service Pack 2 and MDAC 2.5 Service Pack 3. A security vulnerability also existed (later fixed) whereby an unchecked buffer in was found in the SQL Server Driver. This flaw was introduced in MDAC 2.5 SP2.

MDAC 2.6

MDAC 2.6 was released in September 2000 and was distributed through the web and with Microsoft SQL Server 2000 ^[15] MDAC 2.6 RTM, SP1 (released June 20, 2001), and SP2 (released June 11, 2002) were distributed in parallel with the Microsoft SQL Server 2000 service packs, and could also be downloaded from the Microsoft website.

Beginning with this version of MDAC, Microsoft Jet, Microsoft Jet OLE DB Provider, and the ODBC Desktop Database Drivers were not included. Instead, these could be installed manually. ^[16] Microsoft also released an alert warning that MDAC 2.6 should not be installed on an SQL Server 7.0 Cluster, because "if you install MDAC 2.6 or later on any node in the cluster, directly or through the installation of another program, it may cause a catastrophic failure of the SQL Server Agent or other SQL Server services." ^[17] This issue effected Veritas's Backup Exec 9.0 for Windows Servers, because it installs Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) as its database. Revision 4367 installed MDAC version 2.6 SP2 while revision 4454 installed MDAC version 2.7 SP1, which did not have the problem ^[18]

MDAC 2.7

MDAC 2.7 was released in October 2001 through Microsoft's website. A refresh release was issued in April 2002 through the release of Windows XP and through Microsoft's website. Version 2.7 was available in U.S. English, Chinese (Traditional and Simplified), German, Japanese, Korean, Brazilian Portuguese, Czech, Danish, Greek, Slovak, Slovenian, Spanish, Finnish, French, Hungarian, Italian, Dutch, Norwegian, Polish, Portuguese, Russian, Swedish, and Turkish. Hebrew and Arabic were only available through Windows XP.

The main feature change was support for Microsoft's 64-bit operating system, however support for Banyan Vines was also dropped from this version of MDAC. There were several known issues ^[19]: MDAC 2.7 continued causing connectivity problems on clustered servers running Microsoft SQL Server 6.5 or SQL Server 7.0, with no workaround provided by Microsoft. When creating or configuring ODBC data source names (DSNs) using the Microsoft SQL Server ODBC driver the network library protocol might unexpectedly switch to TCP/IP, even if the DSN was configured to use named pipes. ^[20] Windows XP users also sometimes experienced problems connecting to SQL Server because SQL Server attempts to use certificates it finds on the local computer, however if there is more than one certificate available it did not know which one to use. ^[21] When attempting to use Microsoft Analysis Services 2000 RTM, an error would sometimes appear when trying to browse cubes. ^[22] Microsoft also discovered a problem in a Windows 95, Windows 98, and Windows Me's setup program which prevented the MDAC installation program from rolling back when it encountered an installation error. ^[23]

Several security issues were resolved by Microsoft for MDAC 2.7. David Litchfield of Next Generation Security Software Ltd reported a security vulnerability that results because one of the ODBC functions in MDAC that is used to connect to data sources contained an unchecked buffer. ^[24] Another vulnerability that was fixed was one whereby an attacker could respond to an SQL Server discovery message broadcasted by clients with a specially crafted packet that could cause a buffer overflow. ^[25] Another flaw was found whereby code could be executed remotely when the attack responded to the broadcast with another specially crafted packet ^[26].

MDAC 2.8

MDAC 2.8 was released in August 2003 and distributed with Microsoft Windows Server 2003, as well as on Microsoft's Data Access Technologies website. It did not introduce any new features to the product but fixed a number of bugs and security issues — a reg file (automates changes to the registry) was removed that made the server run in an "unsafe" mode whereby the RDS could be exploited to gain unauthorised access to the system ^[27] and a new restriction was is imposed on the length of the Shape query string ^[28]. There were also several ODBC Administrator changes. ^[29]

Version	Release date	Distribution	Features	Security issues
1.0	August 1996	No coordinated release: ADC – IIS 3.0 OLE DB 1.1 SDK (OLE DB 1.1 and ADO 1.0) - Visual Studio All components included in Visual Interdev 1.0 and with Active Server Pages (released in IIS 3.0)	ODBC 3.0 OLE DB 1.1 ADO 1.0 ADC 1.0 ODBC drivers for Access/Jet, SQL Server and Oracle databases	No bulletins released
1.5	September 1997 - March 1998	Microsoft Internet Explorer 4.0 Internet Client SDK 4.0 (from CD issued at Microsoft PDC)	ODBC 3.5 OLE DB 1.5 ADO 1.5 RDS 1.5 (supercededADC 1.0)	MS99-025
1.5a	September 1997 - March 1998	Microsoft website	Service release
1.5b	September 1997 - March 1998	WindowsNT 4.0 Option Pack	Service release
1.5c	September 1997 - March 1998	Microsoft website	Fixed issues with ADO threading and ODBC Connection Pooling Only came with ADO/MDAC runtime components
2.0	July 1, 1998	Visual Studio 98 Data Access 2.0 SDK	ODBC 3.5 SDK OLE DB 1.5 SDK OLE DB for OLAP Specification	MS98-004
2.0SP1	July 1, 1998	Windows NT 4.0 SP1	Y2K remediation for Windows NT 4.0
2.0SP2	July 1, 1998	Microsoft website	Y2K remediation for all platforms
2.1	July 11, 1998	SQL Server 7.0 SQL Server 6.5 SP5	ADO 2.1 RDS 2.1 OLE DB 2.1 OLE DB Provider for ODBC, SQL Server and Oracle JRO 2.1 ODBC driver Jet driver RDO	MS02-06
2.1 SP1	March 15, 1999	Internet Explorer 5.0
2.1 SP1a (GA)	April 1, 1999	Office 2000 BackOffice 4.5 Visual Studio 98 SP3 Internet Explorer 5.0a (minimal install)
2.1 SP2	Not known	Microsoft website
2.5	February 17, 2000	Windows 2000 Microsoft website	ADO 2.5 ADO MD 2.5 ADOX 2.5 RDS 2.5 OLE DB 2.5 OLE DB Provider for the ODBC driver for: SQL Server Site Server Search Internet Publishing Jet 4.0 (Access 2000) Oracle Indexing Services (Index Server) Microsoft Data Shaping Services OLAP Services DTS Packages Microsoft Directory Services Server DTS Flat File OLE DB Simple Provider JRO 2.5 ODBC 3.51 an ODBC driver for Microsoft Access SQL Server Microsoft Excel Text Visual FoxPro FoxPro VFP dBase dBase VFP Paradox Oracle Jet drivers for: Excel Microsoft Exchange Access text files Lotus 1-2-3 Pardox xBase	MS02-06
2.5 SP1	July 31, 2000	Windows 2000 SP1 Microsoft website
2.5 SP2	April 2000	Windows 2000 SP2 Microsoft website
2.5 SPS3	December 2003	Windows 2000 SP3 Microsoft website
2.6	September 2000	SQL Server 2000 Microsoft website	Not included (manually installed): Microsoft Jet Microsoft Jet OLE DB Provider ODBC Desktop Database Drivers	MS02-06
2.6 SP1	May 2001	SQL Server 2000 SP1 Microsoft website
2.6 SP2	May 2002	SQL Server 2000 SP2 Microsoft website
2.7	October 2001	Windows XP Microsoft website	Support for 64-bit operating systems Banyan Vines support dropped	MS02-06 MS02-040 MS03-033 MS04-003
2.8	August 2003	Windows Server 2003 Microsoft website	Fixed bugs and security issues	MS03-033 MS04-003
2.9	August 2004	Windows XP SP2

Notes

1. ^ Christian Koller, "ADO und MDAC Versionen" : MDAC 1.0 and 1.1 (OLE DB 1.0 and OLE DB 1.1) accessed July 1, 2005.
2. ^ Microsoft, "INFO: What are MDAC, DA SDK, ODBC, OLE DB, ADO, RDS, and ADO/MD?" : The MDAC 1.0 Stack (last reviewed March 14, 2005), accessed July 1, 2005.
3. ^ Christian Koller, "ADO und MDAC Versionen", accessed July 1, 2005.
4. ^ Christian Koller, "ADO und MDAC Versionen" : MDAC 1.5, accessed July 1, 2005.
5. ^ Microsoft, "INFO: What are MDAC, DA SDK, ODBC, OLE DB, ADO, RDS, and ADO/MD?" : The MDAC 1.5 Stack (last reviewed March 14, 2005), accessed July 1, 2005.
6. ^ Microsoft, Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-025), accessed July 6, 2005.
7. ^ Microsoft, "INFO: What are MDAC, DA SDK, ODBC, OLE DB, ADO, RDS, and ADO/MD?" : The MDAC 2.0 Stack (last reviewed March 14, 2005), accessed July 6, 2005.
8. ^ Microsoft, PRB: RDS Handler Error Messages Due to Security Settings (last reviewed September 30, 2003), accessed July 6, 2005; Microsoft Security Program: Microsoft Security Bulletin (MS98-004) : "Unauthorized ODBC Data Access with RDS and IIS" (last revision: July 17, 1998), accessed July 6, 2005; CVE vulnerability CVE-1999-1011.
9. ^ Christian Koller, "ADO und MDAC Versionen" : MDAC 2.0, accessed July 1, 2005.
10. ^ Microsoft, "INFO: What are MDAC, DA SDK, ODBC, OLE DB, ADO, RDS, and ADO/MD?" : The MDAC 2.0 Stack (last reviewed March 14, 2005), accessed July 6, 2005.
11. ^ Christian Koller, "ADO und MDAC Versionen" : MDAC 2.1, accessed July 1, 2005.
12. ^ Microsoft, Data Access Components: Security Hotfix for Q329414 (download page); [http://Microsoft Security Bulletin MS02-06 — originally Microsoft KB article Q329414) — (originally posted November 20, 2002), accessed July 6, 2005.
13. ^ Christian Koller, "ADO und MDAC Versionen" : MDAC 2.5, accessed July 1, 2005.
14. ^ Microsoft, MS KB article 320700, "OLE DB Session Pooling Causes 100 Percent CPU Usage (MDAC 2.5)", accessed July 6, 2005.
15. ^ Microsoft, MS KB article 842272 Release manifest for MDAC 2.6 (2.60.6526.3), accessed July 6, 2005.
16. ^ Microsoft, MS KB article 271908 MDAC version 2.6 and later do not contain Jet or Desktop ODBC drivers, accessed July 6, 2005.
17. ^ Microsoft, MS KB article 820754 MDAC 2.6 or later should not be installed on SQL Server 7.0 clusters, accessed July 6, 2005.
18. ^ Veritas, Document ID: 258144 VERITAS Backup Exec (tm) 9.0 for Windows Servers should not be installed on a Microsoft SQL Server 7.0 Cluster.
19. ^ Microsoft, MS KB article 289573 PRB: Configuring DSNs with SQL Server Net-Libraries.
20. ^ Release manifest for MDAC 2.7 Refresh (2.70.9001.0)
21. ^ Microsoft, MS KB article 309398 SQL Server 2000 installation or local connections fail with "SSL Security error :ConnectionOpen (SECDoClientHandshake())" error message.
22. ^ Microsoft, MS KB article 297232 FIX: Cannot Browse Cubes or Process Mining Model After You Install Analysis Services 2000 RTM.
23. ^ Microsoft, MS KB article 311720 PRB: MDAC Rollback May Fail on Windows 95, Windows 98, and Windows Millennium Edition.
24. ^ Microsoft, Microsoft Security Bulletin MS02-040 Unchecked Buffer in MDAC Function Could Enable System Compromise (Q326573).
25. ^ Microsoft, Microsoft Security Bulletin MS03-033 Unchecked Buffer in MDAC Function Could Enable System Compromise (823718)
26. ^ Microsoft, Microsoft Security Bulletin MS04-003 Buffer Overrun in MDAC Function Could Allow Code Execution (832483)
27. ^ Microsoft. MS KB article 818490: INFO: Handunsf.reg File Has Been Removed in MDAC 2.8 Redist Setup for Security Reasons
28. ^ Microsoft. MS KB article 838405: FIX: "Argument passed to data shaping service was invalid" error after you apply MDAC 2.8
29. ^ Microsoft. MS KB article 818489, INFO: ODBC Administrator Changes in MDAC 2.8.

External links

• http://msdn.microsoft.com/data/mdac/default.aspx