Greetings, I have discovered major ODBC vulnerability located in the Jet 3.51 = (ODBCJT32.DLL driver) This driver was shipped with MS Office 97.=20 The vulnerability can be exploited from a MS Excel 97 Worksheet (I = strongly suspect that can also be exploited from a MS Word 97 document) = , I have not tested other MS Office versions. If you open a malicious Excel worksheet implementing this vulnerability = It will send shell commands to your operating system (Windows NT, 95 and = 98 are all affected) that can : inoculate you a virus, delete your = disks, read your files . let say that the worksheet will get full = control over your machine. As far as the Excel worksheet does not = contain any macro no message will be displayed upon opening the = worksheet.=20 Be aware that the vulnerability can also be exploited via Internet : - A WEB page can contain a hidden frame like <IFRAME = SRC=3Dmalicious.XLS> if you visit this page you are dead. - You can receive an e-mail with the same hidden frame, if you open the = e-mail and you are on-line you are also dead. Of course the .XLS can = also be sent as a normal attachment in this case is up to you to open or = not the document. Do no open unexpected documents and switch to off-line = state before open your e-mail messages. The issue was reported to MS few days ago there were aware of the = problem and in fact It has been corrected in the Jet 4.0 driver this = driver is delivered a part of MDAC 2.1 . The date (1999 April 26) of the = files delivered with this component shows that MS was aware of the = problem long time ago, however MS has not informed their millions of MS = Office users about the benefit of installing a new Jet 4 driver for = strong security reasons.=20 I personally do not agree with the MS way of managing this security = issue. If a software manufacturer discover himself a high risk security = issue I expect from the manufacturer a security bulletin and a fix sent = immediately to their users. MS will very presumably post a security bulletin about this issue the = reason for this bulletin is this posting to NTBugtraq they decided to = release a new bulletin only after they knew that I was posting this to = you, NTBugtaq readers. Are you affected ? Look to the version of your Jet Driver (ODBCJT32.DLL) , If it is like = 3.51.xxx then you are affected. What must you do ? Download MDAC 2.1 from http://www.microsoft.com/data/ and install It = immediately. I hope MS will post detailed information check their their = security site at http://www.microsoft.com/security/ I would like to acknowledge Mr. Prigogine (.Rain.Forest.Puppy) for = bringing me the inspiration for finding this vulnerability. I found It = after reading their "short" NTBugtraq article : "Alert: IIS RDS = vulnerability and fix" . I would never discovered It without their = valuable teaching. Cheers, Juan Carlos G. Cuartango
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:07 PDT