COMMAND
MDAC
SYSTEMS AFFECTED
Office95, Office97, MDAC prior to 2.1
PROBLEM
Juan Carlos Garcia Cuartango discovered major ODBC vulnerability
located in the Jet 3.51 (ODBCJT32.DLL driver). This driver was
shipped with MS Office 97. The vulnerability can be exploited
from a MS Excel 97 Worksheet (can also be exploited from a MS Word
97 document). If you open a malicious Excel worksheet implementing
this vulnerability will send shell commands to your operating
system (Windows NT, 95 and 98 are all affected) that can:
inoculate you a virus, delete your disks, read your files - lets
say that the worksheet will get full control over your machine.
As far as the Excel worksheet does not contain any macro no
message will be displayed upon opening the worksheet. Be aware
that the vulnerability can also be exploited via Internet: A web
page can contain a hidden frame like <IFRAME SRC=malicious.XLS> if
you visit this page you are dead.
You can receive an e-mail with the same hidden frame, if you open
the e-mail and you are on-line you are also dead. Of course the
.XLS can also be sent as a normal attachment in this case is up
to you to open or not the document. Do no open unexpected
documents and switch to off-line state before open your e-mail
messages.
SOLUTION
The issue was reported to MS. This issue has been corrected in
the Jet 4.0 driver this driver is delivered a part of MDAC 2.1.
The date (1999 April 26) of the files delivered with this
component shows that MS was aware of the problem long time ago,
however MS has not informed their millions of MS Office users
about the benefit of installing a new Jet 4 driver for strong
security reasons.
Download MDAC 2.1 from http://www.microsoft.com/data/ and install
it immediately. MDAC 2.1 is not an acceptable answer to many.
Applications designed to work with specific earlier versions of
JET may not work with JET 4.0, or the way JET 4.0 handles things
may be different. Since 3rd parties are able to distribute ODBC
components with their products, they may expect them to be what
they supplied, or functionality breaks. A better fix than MDAC
2.1, one which does not force an upgrade to JET 4.0, is being
looked at very seriously by Microsoft. Unfortunately, the number
of products which use JET is enormous, so the ramifications of
revising JET 3.51 to preclude the possibility of exploit while
maintaining its existing functionality have to be considered
carefully.
Jimmy Guse has provided a little command-line tool (including
source) which will allow you to toggle the setting on the "Confirm
open after download" byte on DocObjects (web-trusted applications)
The tool will show you all object types which are enabled to have
the setting, allow you to reset them silently and automatically
(e.g. as part of a login script), log the results, and more. The
program is a 17kb zip file (includes source, executable, and HTML
instructions) that is freeware, and is now available from:
http://ntbugtraq.ntadvice.com/office97fix.asp
Microsoft have released their own tool to toggle the "Confirm
open after download" flag on MS Office document types. See:
http://www.microsoft.com/security/Issues/OfficeDocOpenTool.asp
Microsoft's Q&A document never explicitly states this; however
Microsoft has confirmed that Office 95 is affected and that a
patch is in progress and expected in 1999 mid-December. See link
on
http://gartner3.gartnerweb.com/public/static/home/today/il1112991.html