Hi All - I need to provide some follow-up and additional detail on the information discussed below. We've verified that this vulnerability in Jet 3.51 does exist, and urge all customers who are using Jet 3.51 to upgrade to Jet 4.0. This vulnerability should be taken seriously. Office 97 users in particular should consider immediately upgrading their database driver to Jet 4.0, as Jet 3.51 is installed by default in Office 97. Office 2000 users do not need to upgrade, as Office 2000 installs Jet 4.0 by default. We are developing a security bulletin to provide full information on the vulnerability and the products affected. We'll also provide an easy way to upgrade to Jet 4.0 via our OfficeUpdate web site. We expect to release the bulletin shortly. In the meantime, if you would like to upgrade immediately, you can do so by installing Microsoft Data Access Components version 2.1, which contains Jet 4.0. MDAC 2.1 is available at http://www.microsoft.com/data/. Finally, I need to dispel some incorrect information. It is not true that Microsoft knew about this vulnerability for some time but did not alert customers until the author posted to NTBugTraq. Jet 4.0 corrected a number of bugs that had been found in Jet 3.51; none of them appeared particularly serious at the time. Two days ago, we were contacted by Mr. Cuartango, who advised us that he had determined a way to exploit in a particularly damaging way one of the bugs in Jet 3.51. We confirmed the attack the same day and agreed with him that the seriousness of the attack warranted a security bulletin. We advised him that we would issue it very soon -- we wanted to ensure that we had a full listing of all affected products and had a simple upgrade mechanism in place. At no time have we attempted to downplay the seriousness of this vulnerability. Regards, Secureat_private -----Original Message----- From: Juan Carlos Garcia Cuartango [mailto:cuartangojcat_private] Sent: Thursday, July 29, 1999 3:45 AM To: NTBUGTRAQat_private Subject: Alert : MS Office 97 Vulnerability Greetings, I have discovered major ODBC vulnerability located in the Jet 3.51 (ODBCJT32.DLL driver) This driver was shipped with MS Office 97. The vulnerability can be exploited from a MS Excel 97 Worksheet (I strongly suspect that can also be exploited from a MS Word 97 document) , I have not tested other MS Office versions. If you open a malicious Excel worksheet implementing this vulnerability It will send shell commands to your operating system (Windows NT, 95 and 98 are all affected) that can : inoculate you a virus, delete your disks, read your files . let say that the worksheet will get full control over your machine. As far as the Excel worksheet does not contain any macro no message will be displayed upon opening the worksheet. Be aware that the vulnerability can also be exploited via Internet : - A WEB page can contain a hidden frame like <IFRAME SRC=malicious.XLS> if you visit this page you are dead. - You can receive an e-mail with the same hidden frame, if you open the e-mail and you are on-line you are also dead. Of course the .XLS can also be sent as a normal attachment in this case is up to you to open or not the document. Do no open unexpected documents and switch to off-line state before open your e-mail messages. The issue was reported to MS few days ago there were aware of the problem and in fact It has been corrected in the Jet 4.0 driver this driver is delivered a part of MDAC 2.1 . The date (1999 April 26) of the files delivered with this component shows that MS was aware of the problem long time ago, however MS has not informed their millions of MS Office users about the benefit of installing a new Jet 4 driver for strong security reasons. I personally do not agree with the MS way of managing this security issue. If a software manufacturer discover himself a high risk security issue I expect from the manufacturer a security bulletin and a fix sent immediately to their users. MS will very presumably post a security bulletin about this issue the reason for this bulletin is this posting to NTBugtraq they decided to release a new bulletin only after they knew that I was posting this to you, NTBugtaq readers. Are you affected ? Look to the version of your Jet Driver (ODBCJT32.DLL) , If it is like 3.51.xxx then you are affected. What must you do ? Download MDAC 2.1 from http://www.microsoft.com/data/ and install It immediately. I hope MS will post detailed information check their their security site at http://www.microsoft.com/security/ I would like to acknowledge Mr. Prigogine (.Rain.Forest.Puppy) for bringing me the inspiration for finding this vulnerability. I found It after reading their "short" NTBugtraq article : "Alert: IIS RDS vulnerability and fix" . I would never discovered It without their valuable teaching. Cheers, Juan Carlos G. Cuartango
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:09 PDT