[11188] in bugtraq
Alert : MS Office 97 Vulnerability
daemon@ATHENA.MIT.EDU (aleph1@UNDERGROUND.ORG)
Fri Jul 30 00:18:00 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <19990729195531.25108.qmail@underground.org>
Date: Thu, 29 Jul 1999 12:55:31 -0700
Reply-To: Juan Carlos Garcia Cuartango <cuartangojc@MX3.REDESTB.ES>
From: aleph1@UNDERGROUND.ORG
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Greetings,
I have discovered major ODBC vulnerability located in the Jet 3.51 =
(ODBCJT32.DLL driver) This driver was shipped with MS Office 97.=20
The vulnerability can be exploited from a MS Excel 97 Worksheet (I =
strongly suspect that can also be exploited from a MS Word 97 document) =
, I have not tested other MS Office versions.
If you open a malicious Excel worksheet implementing this vulnerability =
It will send shell commands to your operating system (Windows NT, 95 and =
98 are all affected) that can : inoculate you a virus, delete your =
disks, read your files . let say that the worksheet will get full =
control over your machine. As far as the Excel worksheet does not =
contain any macro no message will be displayed upon opening the =
worksheet.=20
Be aware that the vulnerability can also be exploited via Internet :
- A WEB page can contain a hidden frame like <IFRAME =
SRC=3Dmalicious.XLS> if you visit this page you are dead.
- You can receive an e-mail with the same hidden frame, if you open the =
e-mail and you are on-line you are also dead. Of course the .XLS can =
also be sent as a normal attachment in this case is up to you to open or =
not the document. Do no open unexpected documents and switch to off-line =
state before open your e-mail messages.
The issue was reported to MS few days ago there were aware of the =
problem and in fact It has been corrected in the Jet 4.0 driver this =
driver is delivered a part of MDAC 2.1 . The date (1999 April 26) of the =
files delivered with this component shows that MS was aware of the =
problem long time ago, however MS has not informed their millions of MS =
Office users about the benefit of installing a new Jet 4 driver for =
strong security reasons.=20
I personally do not agree with the MS way of managing this security =
issue. If a software manufacturer discover himself a high risk security =
issue I expect from the manufacturer a security bulletin and a fix sent =
immediately to their users.
MS will very presumably post a security bulletin about this issue the =
reason for this bulletin is this posting to NTBugtraq they decided to =
release a new bulletin only after they knew that I was posting this to =
you, NTBugtaq readers.
Are you affected ?
Look to the version of your Jet Driver (ODBCJT32.DLL) , If it is like =
3.51.xxx then you are affected.
What must you do ?
Download MDAC 2.1 from http://www.microsoft.com/data/ and install It =
immediately. I hope MS will post detailed information check their their =
security site at http://www.microsoft.com/security/
I would like to acknowledge Mr. Prigogine (.Rain.Forest.Puppy) for =
bringing me the inspiration for finding this vulnerability. I found It =
after reading their "short" NTBugtraq article : "Alert: IIS RDS =
vulnerability and fix" . I would never discovered It without their =
valuable teaching.
Cheers,
Juan Carlos G. Cuartango
