From: aleph1@UNDERGROUND.ORG
Sent: Thursday, July 29, 1999 3:56 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Alert : MS Office 97 Vulnerability

Greetings,

I have discovered  major ODBC vulnerability located in the Jet 3.51 (ODBCJT32.DLL driver) This driver was shipped with MS Office 97. 
The vulnerability can be exploited from a MS Excel 97 Worksheet (I strongly suspect that can also be exploited from a MS Word 97 document) , I have not tested other MS Office versions.
If you open a malicious Excel worksheet implementing this vulnerability It will send shell commands to your operating system (Windows NT, 95 and 98 are all affected) that can : inoculate you a virus, delete your disks, read your files . let say that the worksheet will get full control over your machine. As far as the Excel worksheet does not contain any macro no message will be displayed upon opening the worksheet. 
Be aware that the vulnerability can also be exploited via Internet :
- A WEB page can contain a hidden frame like <IFRAME SRC=malicious.XLS>  if you visit this page you are dead.
- You can receive an e-mail with the same hidden frame, if you open the e-mail and you are on-line you are also dead. Of course the .XLS can also be sent as a normal attachment in this case is up to you to open or not the document. Do no open unexpected documents and switch to off-line state before open your e-mail messages.

The issue was reported to MS few days ago there were aware of the problem and in fact It has been corrected in the Jet 4.0 driver this driver is delivered a part of MDAC 2.1 . The date (1999 April 26) of the files delivered with this component shows that MS was aware of the problem long time ago,  however MS has not informed their millions of MS Office users about the benefit of installing a new Jet 4 driver for strong security reasons. 
I personally do not agree with the MS way of managing this security issue. If a software manufacturer discover himself a high risk security issue I expect from the manufacturer a security bulletin and a fix sent immediately to their users.
MS will very presumably post a security bulletin about this issue the reason for this bulletin is this posting to NTBugtraq they decided to release a new bulletin only after they knew that I was posting this to you, NTBugtaq readers.
Are you affected ?
Look to the version of your Jet Driver (ODBCJT32.DLL) , If it is like 3.51.xxx then you are affected.
What must you do ?
Download MDAC 2.1 from http://www.microsoft.com/data/ and install It immediately. I hope MS will post detailed information check their their security site at http://www.microsoft.com/security/

I would like to acknowledge Mr. Prigogine (.Rain.Forest.Puppy) for bringing  me the inspiration for finding this vulnerability. I found It after reading their "short"  NTBugtraq article : "Alert:  IIS RDS vulnerability and fix" . I would never discovered It without their valuable teaching.

Cheers,
Juan Carlos G. Cuartango