Hole opens Office 97 users to hijack

Carlos G. Cuartango, who has previously exposed several serious security holes in Microsoft Internet Explorer and Netscape Navigator, has once again found a nasty vulnerability in Microsoft Office and Internet Explorer.

The hole, which is present on any Windows or NT system containing Version 3.51 of Microsoft's "Jet" database engine, allows an e-mail message or Web page to execute an arbitrary command on the user's system. The vulnerable version of the engine was shipped with Microsoft Office 97. It may also have been included with other Microsoft products and development tools, and/or with third party applications.

The security hole does not involve macros but rather database queries which trigger the execution of commands on the user's computer system. A dangerous query can occur in a spreadsheet formula, a field in a wordprocessor document, or a data file used by a database-enabled application. Virus scanners which look for dangerous macro viruses do not look for such queries and therefore do not prevent the hole from being exploited.

According to Cuartango, the vulnerability is especially dangerous because it can be exploited remotely via the Internet. If a user with the vulnerability is running Microsoft Internet Explorer and visits a Web page with an embedded Office document (such as an Excel spreadsheet), viewing the document will allow arbitrary commands to be executed on that user's system. "If you visit [the] page," wrote Cuartango, "you are dead."

Likewise, a piece of e-mail with an embedded or attached Office document can exploit the vulnerability. The security hole can be used to inject a virus or a Trojan horse program, such as Back Orifice, into the victim's system. It can also cause the system to transmit sensitive data, including encryption keys, credit card numbers, etc., to a malicious third party. Microsoft acknowledged the presence of the bug and urged users to take action. A message from Microsoft's "Security Response Team," posted to two security-related Internet mailing lists, stated:

"We've verified that this vulnerability in Jet 3.51 does exist, and urge all customers who are using Jet 3.51 to upgrade to Jet 4.0. This vulnerability should be taken seriously. Office 97 users in particular should consider immediately upgrading their database driver to Jet 4.0, as Jet 3.51 is installed by default in Office 97. Office 2000 users do not need to upgrade, as Office 2000 installs Jet 4.0 by default. We are developing a security bulletin to provide full information on the vulnerability and the products affected. We'll also provide an easy way to upgrade to Jet 4.0 via our OfficeUpdate Web site." At this writing, Microsoft's official security bulletin was not yet available. However, the following procedure can be used to determine if a system is vulnerable and to close the security hole if it exists.

To determine if your Windows or NT system is vulnerable, use the "Find" command to search your system for the Jet driver -- a file named ODBCJT32.DLL. If the file is found, right-click on its name and select "Properties" from the pop-up menu. Select the "Version" tab on the Properties sheet and examine the file version. If it's less than 4, your system may be vulnerable. To remove the vulnerability, download and install the latest version of the Microsoft Data Access Components, available from www.microsoft.com/data/.