|
PureBytes Links
Trading Reference Links
|
Hole opens Office 97 users to hijack
By Brett Glass
07/30/99 08:18:00 AM
Vulnerability in popular Microsoft suite could allow malicious coder to take
control of computers without victim knowing.
UPDATED 7 AM PT 7/30/99
Juan Carlos G. Cuartango, who has previously exposed several serious
security holes in Microsoft Internet Explorer and Netscape Navigator, has
once again found a nasty vulnerability in Microsoft Office and Internet
Explorer.
The hole, which is present on any Windows or NT system containing Version
3.51 of Microsoft's "Jet" database engine, allows an e-mail message or Web
page to execute an arbitrary command on the user's system. The vulnerable
version of the engine was shipped with Microsoft Office 97. It may also have
been included with other Microsoft (Nasdaq:MSFT
<http://www.zdii.com/industry_list_new.asp?mode=news&ticker=MSFT> ) products
and development tools, and/or with third party applications.
The security hole does not involve macros but rather database queries which
trigger the execution of commands on the user's computer system. A dangerous
query can occur in a spreadsheet formula, a field in a wordprocessor
document, or a data file used by a database-enabled application. Virus
scanners which look for dangerous macro viruses do not look for such queries
and therefore do not prevent the hole from being exploited.
Serious vulnerability
According to Cuartango, the vulnerability is especially dangerous because it
can be exploited remotely via the Internet. If a user with the vulnerability
is running Microsoft Internet Explorer and visits a Web page with an
embedded Office document (such as an Excel spreadsheet), viewing the
document will allow arbitrary commands to be executed on that user's system.
"If you visit [the] page," wrote Cuartango, "you are dead."
Likewise, a piece of e-mail with an embedded or attached Office document can
exploit the vulnerability. The security hole can be used to inject a virus
or a Trojan horse program, such as Back Orifice, into the victim's system.
It can also cause the system to transmit sensitive data, including
encryption keys, credit card numbers, etc., to a malicious third party.
Microsoft acknowledged the presence of the bug and urged users to take
action. A message from Microsoft's "Security Response Team," posted to two
security-related Internet mailing lists, stated:
"We've verified that this vulnerability in Jet 3.51 does exist, and urge all
customers who are using Jet 3.51 to upgrade to Jet 4.0. This vulnerability
should be taken seriously. Office 97 users in particular should consider
immediately upgrading their database driver to Jet 4.0, as Jet 3.51 is
installed by default in Office 97. Office 2000 users do not need to upgrade,
as Office 2000 installs Jet 4.0 by default. We are developing a security
bulletin to provide full information on the vulnerability and the products
affected. We'll also provide an easy way to upgrade to Jet 4.0 via our
OfficeUpdate Web site."
At this writing, Microsoft's official security bulletin was not yet
available. However, the following procedure can be used to determine if a
system is vulnerable and to close the security hole if it exists.
What to do?
To determine if your Windows or NT system is vulnerable, use the "Find"
command to search your system for the Jet driver -- a file named
ODBCJT32.DLL. If the file is found, right-click on its name and select
"Properties" from the pop-up menu. Select the "Version" tab on the
Properties sheet and examine the file version. If it's less than 4, your
system may be vulnerable. To remove the vulnerability, download and install
the latest version of the Microsoft Data Access Components, available from
www.microsoft.com/data/ <http://www.microsoft.com/data/> .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PS: If you know this already sorry for the extra email. If you don't use
Jet, good for you. If you do use the Access database, well you know what to
do.....
Go to this location for the mdsa 2.0 download. This has the latest jet
engine (4.00.3711.08) within it.
http://download.microsoft.com/msdownload/mdac/sp1a/x86/en/mdac_typ.exe
<http://download.microsoft.com/msdownload/mdac/sp1a/x86/en/mdac_typ.exe>
Download the file to your local disk.
Run the executable.
Reboot system.
Go to: Start : Settings : Control Panel : ODBC Data Sources : Drivers
:Microsoft Access Driver (*.mdb) 4.00.3711.08
To check for a complete install.
Your all done.
---
eof
|