[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fw: Microsoft Security Bulletin (MS99-030)



PureBytes Links

Trading Reference Links

Office ODBC's Jet-users security issue..................

Regards,
Ton Maas
ms-irb@xxxxxxxxxxxxxxxx
Dismiss the ".nospam" bit (including the dot) when replying and
note the new address change. Also for my Homepage
http://home.planet.nl/~anthmaas


----- Original Message ----- 
From: Microsoft Product Security <secnotif@xxxxxxxxxxxxx>
To: <MICROSOFT_SECURITY@xxxxxxxxxxxxxxxxxxxxxx>
Sent: vrijdag 20 augustus 1999 23:16
Subject: Microsoft Security Bulletin (MS99-030)


> The following is a Security  Bulletin from the Microsoft Product Security
> Notification Service.
> 
> Please do not  reply to this message,  as it was sent  from an unattended
> mailbox.
>                     ********************************
> 
> Microsoft Security Bulletin (MS99-030)
> ======================================
> 
> Patch Available for Office "ODBC Vulnerabilities"
> Originally Posted: August 20, 1999
> 
> Summary
> -------
> Microsoft has released a patch that eliminates security vulnerabilities in
> the Microsoft(r) Jet  database engine. The vulnerabilities could affect any
> application that runs atop Jet, and could  allow a database query to take
> virtually any action on a user's computer. Microsoft recommends  that all
> customers who are running applications that use Jet, especially users of
> Microsoft  Office97 and Office2000, install the patch.
> 
> Additional information and frequently asked questions regarding this
> vulnerability can be found at
> http://www.microsoft.com/security/bulletins/MS99-030faq.asp
> 
> Issue
> -----
> Jet is a database engine used by Microsoft products such as Microsoft
> Office97 and Office2000.  Two vulnerabilities exist in Jet:
>  - The "VBA Shell" vulnerability, which affects all versions of Jet
>    except Jet 4.0. An operating system command embedded within a
>    database query could be executed when the query is processed.
>    This would allow a spreadsheet, database, or other application
>    file that contained such a query to take virtually any action on
>    the user's computer when the query was executed.
>  - The "Text I-ISAM" vulnerability, which affects all versions of Jet.
>    Jet provides a way to modify the contents of text files, as a means of
>    allowing data exchange between it and other systems. However, a
>    malicious user could use this capability to modify system files via
>    a database query.
> 
> Microsoft Office uses the Jet engine, and Office users are particularly at
> risk from these  vulnerabilities. (The "VBA Shell" vulnerability affects all
> versions of Office prior to  Office2000, and also affects one member of the
> Office2000 suite, Access2000. The "Text I-ISAM"  vulnerability affects all
> versions of Office). The vulnerabilities are an especially serious  threat
> to Office users for three reasons:
>  - Scenarios for exploiting these vulnerabilities via Office documents
>    are publicly known.
>  - The ubiquity of Office would make it an attractive target for
>    mounting attacks via these vulnerabilities.
>  - The ability of Office documents to perform Document Object Hosting
>    would permit users to be attacked simply by visiting a malicious
>    user's web site.
> 
> Microsoft Jet also is used by several other Microsoft products, as well as
> many third party  applications. However, the ability to exploit this
> vulnerability through these products is highly  dependent on the specific
> application. Although Microsoft has not identified a means of  exploiting
> these vulnerabilities through any Microsoft products except Office, we
> recommend that  all customers who have Microsoft Jet installed on their
> computer update it. This will ensure that  they are protected against any
> possible attacks that may be developed.
> 
> Affected Software Versions
> ==========================
>  - Microsoft Jet, all versions
> 
> NOTE: Jet serves as the database engine for a number of Microsoft products,
> including but not  limited to:
>  - Microsoft Office
>  - Microsoft Visual Studio
>  - Microsoft Publisher
>  - Microsoft Streets & Trips
> 
> Jet also serves as the database engine for many third-party software
> products. The patch does not  require any change to any of the applications
> that use Jet; instead, it operates directly on the  Jet database engine and
> restores proper functionality to it.
> 
> Patch Availability
> ==================
>  - http://officeupdate.microsoft.com/articles/mdac_typ.htm
> 
> NOTE: A patch is available for Jet 3.5 and all subsequent versions. Older
> versions of Jet are no  longer supported, and we recommend that affected
> customers upgrade to a supported version.
> 
> NOTE: The OfficeUpdate site automatically detects the version of Jet that is
> installed on a  machine, and applies the correct patch. The patch is
> suitable for widespread deployment via  Microsoft(r) Systems Management
> Server(r). Users who wish to manually apply patches for specific  versions
> of Jet should consult the FAQ for information on how to do this.
> 
> More Information
> ================
> Please see the following references for more information related to this
> issue. Please note that  it may take 24 hours from the original posting of
> this bulletin for all of the KB articles to be  visible on the Microsoft web
> site.
>  - Microsoft Security Bulletin MS99-030: Frequently Asked Questions,
>    http://www.microsoft.com/security/bulletins/MS99-030faq.asp.
>  - Microsoft Knowledge Base (KB) article Q239114,
>    ACC2000: Updated Version of Microsoft Jet 4.0 Available on MS,
>    http://support.microsoft.com/support/kb/articles/q239/1/14.asp.
>  - Microsoft Knowledge Base (KB) article Q172733,
>    Updated Version of Microsoft Jet 3.5 Available on MSL,
>    http://support.microsoft.com/support/kb/articles/q172/7/33.asp.
>  - Microsoft Knowledge Base (KB) article Q239482,
>    ACC2000: Jet 4.0 Expression can Execute Unsafe VBA Functions,
>    http://support.microsoft.com/support/kb/articles/q239/4/82.asp.
>  - Microsoft Knowledge Base (KB) article Q239104,
>    Access97: Jet Expression can Execute Query with Unsafe VBA Functions,
>    http://support.microsoft.com/support/kb/articles/q239/1/04.asp.
>  - Microsoft Knowledge Base (KB) article Q239471,
>    ACC2000: Text I-ISAM Allows Users to Append Lines Into System Files,
>    http://support.microsoft.com/support/kb/articles/q239/4/71.asp.
>  - Microsoft Knowledge Base (KB) article Q239105,
>    ACC97: Text I-ISAM Allows Users to Append Lines Into System Files,
>    http://support.microsoft.com/support/kb/articles/q239/1/05.asp.
>  - Microsoft Knowledge Base (KB) article Q172733,
>    Updated Version of Microsoft Jet 3.5 Available on MSL,
>    http://support.microsoft.com/support/kb/articles/Q172/7/33.asp.
>  - Microsoft KB article Q141796,
>    How to Identify the Jet Database Engine Components,
>    http://support.microsoft.com/support/kb/articles/Q141/7/96.asp.
>  - Microsoft Security Advisor web site,
>    http://www.microsoft.com/security/default.asp.
> 
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Technical Support is available at
> http://support.microsoft.com/support/contact/default.asp.
> 
> Acknowledgments
> ===============
> Microsoft acknowledges Juan Carlos Cuartango of Spain for bringing this
> issue to our attention.
> 
> Revisions
> =========
>  - August 20, 1999: Bulletin Created.
> 
> -----------------------------------------------------------------------
> 
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
> WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
> INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
> EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING  LIMITATION MAY NOT APPLY.
> 
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
> 
>    *******************************************************************
> You have received  this e-mail bulletin as a result  of your registration
> to  the   Microsoft  Product  Security  Notification   Service.  You  may
> unsubscribe from this e-mail notification  service at any time by sending
> an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@xxxxxxxxxxxxxxxxxxxxxx
> The subject line and message body are not used in processing the request,
> and can be anything you like.
> 
> For  more  information on  the  Microsoft  Security Notification  Service
> please visit http://www.microsoft.com/security/services/bulletin.asp. For
> security-related information  about Microsoft products, please  visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.