From: Bronek Kozicki [bronek@wpi.com.pl]
Sent: Wednesday, August 11, 1999 2:19 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Some Thoughts About The "So Called" Excel97 ODBC Security
Vulnerability BUGTRAQ@SECURITYFOCUS.COM

Wanderley J. Abreu Jr. wrote:
> 3. It changes All the 3rd Bytes of EditFlags Entries (All from MS Office
> documents which contain Docking Objects) to 00. It doesn't allow
> you to see
> what's happening, nor let you change an specific EditFlags Value.

I must agree that your tool is better than the one released by MS , BUT:

I think that you missed problem here. Your post is connected to ability to
open documents without warning inside Internet Explorer, and the only
connection is that Excel file may run SQL command directed to Jet ODBC
driver that will run OS command in context of Excel user. Your patch does
not prevent running commands through ODBC connection, does it?

The problem still exists and what to my knowledge MS recommend is:

1) upgrading to Jet 4 ODBC driver (which is included in MSDAC 2.1) OR
2) if you need to use older Jet (SQL imcompatibilities), wait for patch for
Jet 3.51

ODBC can be accessed from variety of programs, and ANY of them (including
web server accessing Jet database through ODBC) will be able to run command
in the context of current user. There is NO "So Called" Excel 97 ODBC
Security Vulnerability. There is a REAL problem in Jet ODBC driver, first
raised over 2 months ago  by .rain.forest.puppy.  (May 25th, subject
"Advisory: NT ODBC Remote Compromise"). I have througly tested this one day
later, results were sent to BUGTRAQ, and there were no many more comments in
the subject (especially from Microsoft). Putting this vulnerability in the
context of Excel files does not change fact, that the weak point in NOT  in
IE, nor in Excel, nor in COM, but still in ther very same place: ODBC Jet
driver.


Regards


Bronek Kozicki