COMMAND
MDAC
SYSTEMS AFFECTED
Microsoft Jet, all versions
PROBLEM
Juan Carlos Garcia Cuartango discovered major ODBC vulnerability
located in the Jet 3.51 (ODBCJT32.DLL driver). This driver was
shipped with MS Office 97. The vulnerability must be not mixed
with MDAC #2 on this page or it's same? Anyway, it's good
reading...
The ODBC vulnerability located in the Jet 4.0 (ODBCJT32.DLL
driver) was reported to MS on 29 July 1999 . This driver was
shipped with MS Office 2000 and MDAC 2.1. The impact of this
vulnerability can be considered very similar to the previous MS
Office 97 vulnerability impact. The vulnerability can be
exploited either from a MS Excel 2000 Worksheet or from a MS Word
2000 document. This issue allows silently writing to your files
when you open an Excel worksheet or Word document. No macros are
involved and therefore no warning will be displayed. A malicious
worksheet or document could: inoculate you a virus, delete your
disks, read your files. Be aware that the vulnerability can also
be exploited via Internet:
- A WEB page can contain a hidden frame like <IFRAME SRC=malicious.XLS>
or <IFRAME SRC=malicious.DOC>
- You can receive an e-mail with the same hidden frame, if you
open the e-mail and you are on-line you are at risk. Of course
the .XLS or .DOC can also be sent as a normal attachment in
this case is up to you to open or not the document. Do no open
unexpected documents and switch to off-line state before open
your e-mail messages.
Jet is a database engine used by Microsoft products such as
Microsoft Office97 and Office2000. Two vulnerabilities exist in
Jet:
- The "VBA Shell" vulnerability, which affects all versions of Jet
except Jet 4.0. An operating system command embedded within a
database query could be executed when the query is processed.
This would allow a spreadsheet, database, or other application
file that contained such a query to take virtually any action on
the user's computer when the query was executed.
- The "Text I-ISAM" vulnerability, which affects all versions of
Jet. Jet provides a way to modify the contents of text files,
as a means of allowing data exchange between it and other
systems. However, a malicious user could use this capability to
modify system files via a database query.
Microsoft Office uses the Jet engine, and Office users are
particularly at risk from these vulnerabilities. (The "VBA Shell"
vulnerability affects all versions of Office prior to Office2000,
and also affects one member of the Office2000 suite, Access2000.
The "Text I-ISAM" vulnerability affects all versions of Office).
The vulnerabilities are an especially serious threat to Office
users for three reasons:
- Scenarios for exploiting these vulnerabilities via Office
documents are publicly known.
- The ubiquity of Office would make it an attractive target for
mounting attacks via these vulnerabilities.
- The ability of Office documents to perform Document Object
Hosting would permit users to be attacked simply by visiting a
malicious user's web site.
Microsoft Jet also is used by several other Microsoft products,
as well as many third party applications. However, the ability
to exploit this vulnerability through these products is highly
dependent on the specific application.
The exploit, originally by Juan Carlos, is an Excel file that
starts an FTP session to download a file and launches Regedit
when opened. Please note that for the exploit to work the file
C:\CONFIG.SYS must exists. This is an arbitrary file. Any other
file will do. Now without knowing the full details of the
vulnerability we can only guess that this exploit exercises the
same vulnerability. Download the Excel file exploit:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=548
The "Text I-ISAM" vulnerability, which affects all versions of
Jet. Jet provides a way to modify the contents of text files, as
a way of allowing data exchange between it and other systems.
However, a malicious user could use this capability to modify
system files via a database query. The original patch for this
vulnerability allowed "drop table" operations to be used, which
could allow files on the user's computer to be deleted; the new
patch eliminates this variant.
SOLUTION
The patch download location refers to two different patches, an
Excel 2000 and Excel '97 patch. The information received is that
the patches ARE THE SAME. They are presented differently for
some reason, but the underlying download file;
Excel 97
http://officeupdate.microsoft.com/isapi/gooffupd.asp?TARGET=/downloaditems/JetCopkg.exe
Excel 2000
http://officeupdate.microsoft.com/isapi/gooffupd.asp?TARGET=/2000/downloaditems/JetCopkg.exe
appear to be identical. For now, take the download based on the
version you are running. Then apply
http://officeupdate.microsoft.com/articles/mdac_typ.htm
to a Jet 3.5.
Just a reminder, there are workarounds too to solve this. MDAC
2.1 includes the JET 4.0 driver which is not affected by this
vulnerability. It is available for download at MS site. Also,
Wanderley J. Abreu Jr. has written a program that will search the
registry and modify the EditFlags value for DocObjects file types,
setting the Confirm Open After Download value to 01. This means
that these filetypes can no longer be silently downloaded and
opened. This can be downloaded from:
http://www.securityfocus.com/data/vulnerabilities/patches/RegFix.zip
Microsoft's Q&A document never explicitly states this; however
Microsoft has confirmed that Office 95 is affected and that a
patch is in progress and expected in 1999 mid-December. See link
on
http://gartner3.gartnerweb.com/public/static/home/today/il1112991.html