Re: Alert : MS Office 97 Vulnerability

[Microsoft Product Security Response Team]

Hi All -

I need to provide some follow-up and additional detail on the information
discussed below.

We've verified that this vulnerability in Jet 3.51 does exist, and urge all
customers who are using Jet 3.51 to upgrade to Jet 4.0.  This vulnerability
should be taken seriously.  Office 97 users in particular should consider
immediately upgrading their database driver to Jet 4.0, as Jet 3.51 is
installed by default in Office 97.  Office 2000 users do not need to
upgrade, as Office 2000 installs Jet 4.0 by default.

We are developing a security bulletin to provide full information on the
vulnerability and the products affected.  We'll also provide an easy way to
upgrade to Jet 4.0 via our OfficeUpdate web site.  We expect to release the
bulletin shortly.  In the meantime, if you would like to upgrade
immediately, you can do so by installing Microsoft Data Access Components
version 2.1, which contains Jet 4.0.  MDAC 2.1 is available at
http://www.microsoft.com/data/.

Finally, I need to dispel some incorrect information.  It is not true that
Microsoft knew about this vulnerability for some time but did not alert
customers until the author posted to NTBugTraq.  Jet 4.0 corrected a number
of bugs that had been found in Jet 3.51; none of them appeared particularly
serious at the time.  Two days ago, we were contacted by Mr. Cuartango, who
advised us that he had determined a way to exploit in a particularly
damaging way one of the bugs in Jet 3.51.  We confirmed the attack the same
day and agreed with him that the seriousness of the attack warranted a
security bulletin.  We advised him that we would issue it very soon -- we
wanted to ensure that we had a full listing of all affected products and had
a simple upgrade mechanism in place.  At no time have we attempted to
downplay the seriousness of this vulnerability.

Regards,

[EMAIL PROTECTED]




-----Original Message-----
From: Juan Carlos Garcia Cuartango [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 29, 1999 3:45 AM
To: [EMAIL PROTECTED]
Subject: Alert : MS Office 97 Vulnerability


Greetings,

I have discovered  major ODBC vulnerability located in the Jet 3.51
(ODBCJT32.DLL driver) This driver was shipped with MS Office 97.
The vulnerability can be exploited from a MS Excel 97 Worksheet (I strongly
suspect that can also be exploited from a MS Word 97 document) , I have not
tested other MS Office versions.
If you open a malicious Excel worksheet implementing this vulnerability It
will send shell commands to your operating system (Windows NT, 95 and 98 are
all affected) that can : inoculate you a virus, delete your disks, read your
files . let say that the worksheet will get full control over your machine.
As far as the Excel worksheet does not contain any macro no message will be
displayed upon opening the worksheet.
Be aware that the vulnerability can also be exploited via Internet :
- A WEB page can contain a hidden frame like <IFRAME SRC=malicious.XLS>  if
you visit this page you are dead.
- You can receive an e-mail with the same hidden frame, if you open the
e-mail and you are on-line you are also dead. Of course the .XLS can also be
sent as a normal attachment in this case is up to you to open or not the
document. Do no open unexpected documents and switch to off-line state
before open your e-mail messages.

The issue was reported to MS few days ago there were aware of the problem
and in fact It has been corrected in the Jet 4.0 driver this driver is
delivered a part of MDAC 2.1 . The date (1999 April 26) of the files
delivered with this component shows that MS was aware of the problem long
time ago,  however MS has not informed their millions of MS Office users
about the benefit of installing a new Jet 4 driver for strong security
reasons.
I personally do not agree with the MS way of managing this security issue.
If a software manufacturer discover himself a high risk security issue I
expect from the manufacturer a security bulletin and a fix sent immediately
to their users.
MS will very presumably post a security bulletin about this issue the reason
for this bulletin is this posting to NTBugtraq they decided to release a new
bulletin only after they knew that I was posting this to you, NTBugtaq
readers.
Are you affected ?
Look to the version of your Jet Driver (ODBCJT32.DLL) , If it is like
3.51.xxx then you are affected.
What must you do ?
Download MDAC 2.1 from http://www.microsoft.com/data/ and install It
immediately. I hope MS will post detailed information check their their
security site at http://www.microsoft.com/security/

I would like to acknowledge Mr. Prigogine (.Rain.Forest.Puppy) for bringing
me the inspiration for finding this vulnerability. I found It after reading
their "short"  NTBugtraq article : "Alert:  IIS RDS vulnerability and fix" .
I would never discovered It without their valuable teaching.

Cheers,
Juan Carlos G. Cuartango