From: Kuo, Jimmy [Jimmy_Kuo@NAI.COM]
Sent: Wednesday, August 11, 1999 4:03 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Some Thoughts About The "So Called" Excel97 ODBC Security
Vulnerability

>3. It changes All the 3rd Bytes of EditFlags Entries (All from MS Office
>documents which contain Docking Objects) to 00. It doesn't allow you to see
>what's happening, nor let you change an specific EditFlags...

This is available from the AV community since January to address the Russian
New Year exploit but would address this issue as well.  Feed into REGEDIT or
REGEDT32.  For full description, see proceedings from InfoSec-Paris, June
1999.

It's the third set of zeros that matter.

----------8<---cut here--->8-------------

REGEDIT4

[HKEY_CLASSES_ROOT\Word.Addin.8]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\Word.Backup.8]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\Word.Document.8]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\Word.Template.8]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\Word.Wizard.8]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\Excel.Chart.8]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\Excel.Sheet.8]
"EditFlags"=hex:00,00,00,00

----------8<---cut here--->8-------------

For Office 2000, replace ".8" with ".9".

Add platforms and other extensions at your leisure.

Jimmy Kuo