COMMAND

    Excel

SYSTEMS AFFECTED

    Systems running MS Excel 9x (prior?)

PROBLEM

    CALL is an advanced function  in Excel that allows a  worksheet to
    call a procedure in a dynamic link library (DLL) or code resource.
    It is a  legitimate function, and  can be used  in macros or  as a
    worksheet function.  Excel generates a warning to the user  before
    running macros, including those containing the CALL function,  and
    allows the user to  decide whether or not  to run them.   However,
    Excel  does  not  generate  a  warning  before executing worksheet
    functions, and if used in this manner, CALL could be used to  call
    an external DLL without a warning to the user.  An attacker  could
    exploit this functionality by embedding a CALL function within  an
    Excel spreadsheet and sending it to an unwary user.  The  attacker
    would be able to control whether the CALL function fired when  the
    victim opened the spreadsheet or when another event occurred.   It
    is important to note that  the CALL function does not  perform any
    malicious action by itself, and  would serve only as an  initiator
    for a malicious DLL.

    The reality might be worse. Besides running external programs  (as
    if the  ability to  run FORMAT  and DEBUG  wasn't bad enough), the
    CALL function can call the APIs of the kernel - and, therefore, do
    just about anything that can be done under Windows.

    Note that potentional  exploit may look  like one small  HTML file
    and one small  Excel 95 file  loaded by it  (and sent via  email).
    When viewed with  IE, the HTML  file results in  Excel loading the
    XLS  file,  executing  a  short  (6-lines)  set of formulas in it,
    which (using the CALL function) creates an executable in the  root
    directory of drive C: and runs it.  Same will work under  Netscape
    and even if sent as HTML e-mail to Outlook.

SOLUTION

    Microsoft has published  the Knowledge Base  (KB) article on  this
    issue: MS Knowledge Base (KB) article Q196791:

        http://support.microsoft.com/support/kb/articles/q196/7/91.asp

    The patch for  this vulnerability is  fully supported.   The patch
    works  by  disabling  the  CALL  worksheet  function, but does not
    disable the CALL function from within macros.  Customers who  need
    the CALL  worksheet function  should evaluate  the degree  of risk
    that it  poses to  their systems,  and determine  whether the best
    course  of  action  is  to  apply  the  patch  or  not.  Microsoft
    recommends that customers  who do not  have a need  to execute DLL
    procedures via worksheet functions apply the patch.  The patch  is
    available via the Office Update web site at:

        http://officeupdate.microsoft.com/downloadDetails/xl97cfp.htm