Wanderley J. Abreu Jr. wrote: > 3. It changes All the 3rd Bytes of EditFlags Entries (All from MS Office > documents which contain Docking Objects) to 00. It doesn't allow > you to see > what's happening, nor let you change an specific EditFlags Value. I must agree that your tool is better than the one released by MS , BUT: I think that you missed problem here. Your post is connected to ability to open documents without warning inside Internet Explorer, and the only connection is that Excel file may run SQL command directed to Jet ODBC driver that will run OS command in context of Excel user. Your patch does not prevent running commands through ODBC connection, does it? The problem still exists and what to my knowledge MS recommend is: 1) upgrading to Jet 4 ODBC driver (which is included in MSDAC 2.1) OR 2) if you need to use older Jet (SQL imcompatibilities), wait for patch for Jet 3.51 ODBC can be accessed from variety of programs, and ANY of them (including web server accessing Jet database through ODBC) will be able to run command in the context of current user. There is NO "So Called" Excel 97 ODBC Security Vulnerability. There is a REAL problem in Jet ODBC driver, first raised over 2 months ago by .rain.forest.puppy. (May 25th, subject "Advisory: NT ODBC Remote Compromise"). I have througly tested this one day later, results were sent to BUGTRAQ, and there were no many more comments in the subject (especially from Microsoft). Putting this vulnerability in the context of Excel files does not change fact, that the weak point in NOT in IE, nor in Excel, nor in COM, but still in ther very same place: ODBC Jet driver. Regards Bronek Kozicki
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:05 PDT