Greetings,
I have discovered major ODBC vulnerability located in the Jet 3.51 (ODBCJT32.DLL
driver) This driver was shipped with MS Office 97.
The vulnerability can be exploited from a MS Excel 97 Worksheet (I strongly suspect
that can also be exploited from a MS Word 97 document) , I have not tested other MS
Office versions.
If you open a malicious Excel worksheet implementing this vulnerability It will send
shell commands to your operating system (Windows NT, 95 and 98 are all affected) that
can : inoculate you a virus, delete your disks, read your files . let say that the
worksheet will get full control over your machine. As far as the Excel worksheet does
not contain any macro no message will be displayed upon opening the worksheet.
Be aware that the vulnerability can also be exploited via Internet :
- A WEB page can contain a hidden frame like <IFRAME SRC=malicious.XLS> if you visit
this page you are dead.
- You can receive an e-mail with the same hidden frame, if you open the e-mail and you
are on-line you are also dead. Of course the .XLS can also be sent as a normal
attachment in this case is up to you to open or not the document. Do no open
unexpected documents and switch to off-line state before open your e-mail messages.
The issue was reported to MS few days ago there were aware of the problem and in fact
It has been corrected in the Jet 4.0 driver this driver is delivered a part of MDAC
2.1 . The date (1999 April 26) of the files delivered with this component shows that
MS was aware of the problem long time ago, however MS has not informed their millions
of MS Office users about the benefit of installing a new Jet 4 driver for strong
security reasons.
I personally do not agree with the MS way of managing this security issue. If a
software manufacturer discover himself a high risk security issue I expect from the
manufacturer a security bulletin and a fix sent immediately to their users.
MS will very presumably post a security bulletin about this issue the reason for this
bulletin is this posting to NTBugtraq they decided to release a new bulletin only
after they knew that I was posting this to you, NTBugtaq readers.
Are you affected ?
Look to the version of your Jet Driver (ODBCJT32.DLL) , If it is like 3.51.xxx then
you are affected.
What must you do ?
Download MDAC 2.1 from http://www.microsoft.com/data/ and install It immediately. I
hope MS will post detailed information check their their security site at
http://www.microsoft.com/security/
I would like to acknowledge Mr. Prigogine (.Rain.Forest.Puppy) for bringing me the
inspiration for finding this vulnerability. I found It after reading their "short"
NTBugtraq article : "Alert: IIS RDS vulnerability and fix" . I would never discovered
It without their valuable teaching.
Cheers,
Juan Carlos G. Cuartango