|
PureBytes Links
Trading Reference Links
|
Office ODBC's Jet-users security issue..................
Regards,
Ton Maas
ms-irb@xxxxxxxxxxxxxxxx
Dismiss the ".nospam" bit (including the dot) when replying and
note the new address change. Also for my Homepage
http://home.planet.nl/~anthmaas
----- Original Message -----
From: Microsoft Product Security <secnotif@xxxxxxxxxxxxx>
To: <MICROSOFT_SECURITY@xxxxxxxxxxxxxxxxxxxxxx>
Sent: vrijdag 20 augustus 1999 23:16
Subject: Microsoft Security Bulletin (MS99-030)
> The following is a Security Bulletin from the Microsoft Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from an unattended
> mailbox.
> ********************************
>
> Microsoft Security Bulletin (MS99-030)
> ======================================
>
> Patch Available for Office "ODBC Vulnerabilities"
> Originally Posted: August 20, 1999
>
> Summary
> -------
> Microsoft has released a patch that eliminates security vulnerabilities in
> the Microsoft(r) Jet database engine. The vulnerabilities could affect any
> application that runs atop Jet, and could allow a database query to take
> virtually any action on a user's computer. Microsoft recommends that all
> customers who are running applications that use Jet, especially users of
> Microsoft Office97 and Office2000, install the patch.
>
> Additional information and frequently asked questions regarding this
> vulnerability can be found at
> http://www.microsoft.com/security/bulletins/MS99-030faq.asp
>
> Issue
> -----
> Jet is a database engine used by Microsoft products such as Microsoft
> Office97 and Office2000. Two vulnerabilities exist in Jet:
> - The "VBA Shell" vulnerability, which affects all versions of Jet
> except Jet 4.0. An operating system command embedded within a
> database query could be executed when the query is processed.
> This would allow a spreadsheet, database, or other application
> file that contained such a query to take virtually any action on
> the user's computer when the query was executed.
> - The "Text I-ISAM" vulnerability, which affects all versions of Jet.
> Jet provides a way to modify the contents of text files, as a means of
> allowing data exchange between it and other systems. However, a
> malicious user could use this capability to modify system files via
> a database query.
>
> Microsoft Office uses the Jet engine, and Office users are particularly at
> risk from these vulnerabilities. (The "VBA Shell" vulnerability affects all
> versions of Office prior to Office2000, and also affects one member of the
> Office2000 suite, Access2000. The "Text I-ISAM" vulnerability affects all
> versions of Office). The vulnerabilities are an especially serious threat
> to Office users for three reasons:
> - Scenarios for exploiting these vulnerabilities via Office documents
> are publicly known.
> - The ubiquity of Office would make it an attractive target for
> mounting attacks via these vulnerabilities.
> - The ability of Office documents to perform Document Object Hosting
> would permit users to be attacked simply by visiting a malicious
> user's web site.
>
> Microsoft Jet also is used by several other Microsoft products, as well as
> many third party applications. However, the ability to exploit this
> vulnerability through these products is highly dependent on the specific
> application. Although Microsoft has not identified a means of exploiting
> these vulnerabilities through any Microsoft products except Office, we
> recommend that all customers who have Microsoft Jet installed on their
> computer update it. This will ensure that they are protected against any
> possible attacks that may be developed.
>
> Affected Software Versions
> ==========================
> - Microsoft Jet, all versions
>
> NOTE: Jet serves as the database engine for a number of Microsoft products,
> including but not limited to:
> - Microsoft Office
> - Microsoft Visual Studio
> - Microsoft Publisher
> - Microsoft Streets & Trips
>
> Jet also serves as the database engine for many third-party software
> products. The patch does not require any change to any of the applications
> that use Jet; instead, it operates directly on the Jet database engine and
> restores proper functionality to it.
>
> Patch Availability
> ==================
> - http://officeupdate.microsoft.com/articles/mdac_typ.htm
>
> NOTE: A patch is available for Jet 3.5 and all subsequent versions. Older
> versions of Jet are no longer supported, and we recommend that affected
> customers upgrade to a supported version.
>
> NOTE: The OfficeUpdate site automatically detects the version of Jet that is
> installed on a machine, and applies the correct patch. The patch is
> suitable for widespread deployment via Microsoft(r) Systems Management
> Server(r). Users who wish to manually apply patches for specific versions
> of Jet should consult the FAQ for information on how to do this.
>
> More Information
> ================
> Please see the following references for more information related to this
> issue. Please note that it may take 24 hours from the original posting of
> this bulletin for all of the KB articles to be visible on the Microsoft web
> site.
> - Microsoft Security Bulletin MS99-030: Frequently Asked Questions,
> http://www.microsoft.com/security/bulletins/MS99-030faq.asp.
> - Microsoft Knowledge Base (KB) article Q239114,
> ACC2000: Updated Version of Microsoft Jet 4.0 Available on MS,
> http://support.microsoft.com/support/kb/articles/q239/1/14.asp.
> - Microsoft Knowledge Base (KB) article Q172733,
> Updated Version of Microsoft Jet 3.5 Available on MSL,
> http://support.microsoft.com/support/kb/articles/q172/7/33.asp.
> - Microsoft Knowledge Base (KB) article Q239482,
> ACC2000: Jet 4.0 Expression can Execute Unsafe VBA Functions,
> http://support.microsoft.com/support/kb/articles/q239/4/82.asp.
> - Microsoft Knowledge Base (KB) article Q239104,
> Access97: Jet Expression can Execute Query with Unsafe VBA Functions,
> http://support.microsoft.com/support/kb/articles/q239/1/04.asp.
> - Microsoft Knowledge Base (KB) article Q239471,
> ACC2000: Text I-ISAM Allows Users to Append Lines Into System Files,
> http://support.microsoft.com/support/kb/articles/q239/4/71.asp.
> - Microsoft Knowledge Base (KB) article Q239105,
> ACC97: Text I-ISAM Allows Users to Append Lines Into System Files,
> http://support.microsoft.com/support/kb/articles/q239/1/05.asp.
> - Microsoft Knowledge Base (KB) article Q172733,
> Updated Version of Microsoft Jet 3.5 Available on MSL,
> http://support.microsoft.com/support/kb/articles/Q172/7/33.asp.
> - Microsoft KB article Q141796,
> How to Identify the Jet Database Engine Components,
> http://support.microsoft.com/support/kb/articles/Q141/7/96.asp.
> - Microsoft Security Advisor web site,
> http://www.microsoft.com/security/default.asp.
>
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Technical Support is available at
> http://support.microsoft.com/support/contact/default.asp.
>
> Acknowledgments
> ===============
> Microsoft acknowledges Juan Carlos Cuartango of Spain for bringing this
> issue to our attention.
>
> Revisions
> =========
> - August 20, 1999: Bulletin Created.
>
> -----------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
> WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
> INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
> EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING LIMITATION MAY NOT APPLY.
>
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your registration
> to the Microsoft Product Security Notification Service. You may
> unsubscribe from this e-mail notification service at any time by sending
> an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@xxxxxxxxxxxxxxxxxxxxxx
> The subject line and message body are not used in processing the request,
> and can be anything you like.
>
> For more information on the Microsoft Security Notification Service
> please visit http://www.microsoft.com/security/services/bulletin.asp. For
> security-related information about Microsoft products, please visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.
|