Re: Some Thoughts About The "So Called" Excel97 ODBC Security Vulnerability BUGTRAQ@SECURITYFOCUS.COM
Wanderley J. Abreu Jr. wrote: > 3. It changes All the 3rd Bytes of EditFlags Entries (All from MS Office > documents which contain Docking Objects) to 00. It doesn't allow > you to see > what's happening, nor let you change an specific EditFlags Value. I must agree that your tool is better than the one released by MS , BUT: I think that you missed problem here. Your post is connected to ability to open documents without warning inside Internet Explorer, and the only connection is that Excel file may run SQL command directed to Jet ODBC driver that will run OS command in context of Excel user. Your patch does not prevent running commands through ODBC connection, does it? The problem still exists and what to my knowledge MS recommend is: 1) upgrading to Jet 4 ODBC driver (which is included in MSDAC 2.1) OR 2) if you need to use older Jet (SQL imcompatibilities), wait for patch for Jet 3.51 ODBC can be accessed from variety of programs, and ANY of them (including web server accessing Jet database through ODBC) will be able to run command in the context of current user. There is NO "So Called" Excel 97 ODBC Security Vulnerability. There is a REAL problem in Jet ODBC driver, first raised over 2 months ago by .rain.forest.puppy. (May 25th, subject "Advisory: NT ODBC Remote Compromise"). I have througly tested this one day later, results were sent to BUGTRAQ, and there were no many more comments in the subject (especially from Microsoft). Putting this vulnerability in the context of Excel files does not change fact, that the weak point in NOT in IE, nor in Excel, nor in COM, but still in ther very same place: ODBC Jet driver. Regards Bronek Kozicki
Re: Some Thoughts About The "So Called" Excel97 ODBC Security Vulnerability
>3. It changes All the 3rd Bytes of EditFlags Entries (All from MS Office >documents which contain Docking Objects) to 00. It doesn't allow you to see >what's happening, nor let you change an specific EditFlags... This is available from the AV community since January to address the Russian New Year exploit but would address this issue as well. Feed into REGEDIT or REGEDT32. For full description, see proceedings from InfoSec-Paris, June 1999. It's the third set of zeros that matter. --8<---cut here--->8- REGEDIT4 [HKEY_CLASSES_ROOT\Word.Addin.8] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\Word.Backup.8] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\Word.Document.8] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\Word.Template.8] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\Word.Wizard.8] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\Excel.Chart.8] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\Excel.Sheet.8] "EditFlags"=hex:00,00,00,00 --8<---cut here--->8- For Office 2000, replace ".8" with ".9". Add platforms and other extensions at your leisure. Jimmy Kuo
Some Thoughts About The "So Called" Excel97 ODBC Security Vulnerability
Well... It's very pleasant to see that Microsoft is doing something about this issue, but... 1. My patch was made 6 days ago, and Jimmy Guse's patch (non-gui) was made about 3 days before my version was released. (Just in case, my patch is available at security focus homepage http://www.securityfocus.com/data/vulnerabilities/patches/RegFix.zip) 2. This patch only works with MS documents, ignoring all the other types that could present the same trouble. 3. It changes All the 3rd Bytes of EditFlags Entries (All from MS Office documents which contain Docking Objects) to 00. It doesn't allow you to see what's happening, nor let you change an specific EditFlags Value. 4. It doesn't include the source code (Of Course), my patch does (Of Course) =) 5. It doesn't show you the changes that were made. 6. You'll have to wait a week more to get the final MS-patch (that probably won't correct the DocObject enviroment for other non-microsoft products). So perhaps to the general public this workaround could be something good. But to the members of this list ( who might want something more complete and see clearly what's happening inside their computers) Microsoft MUST do something... better far better... I Think Microsoft should take a good look at the workarounds that we, the real users, have made and then search for the best solution. Regards, Wanderley