Late July a security problem in Excel (and may be other MS Office applications as well) was found. It has to do with the ODBC database driver which ships together with Office 97 and which is installed by a default installation of Office 97. Specifically the vulnerability has to do with the file ODBCJT32.DLL. If your version of this file has a version number 3.51.xxx you are vulnerable.

Version 4.0 of this file can be obtained from Microsoft's web site at this location as part of version 2.1 of Microsoft Data Access Components (MDAC). Note however that not all third party applications can be used together with this newer version of MDAC. Therefore Microsoft is currently working on a general fix for those that for some reason are unable to upgrade to MDAC version 2.

The vulnerability allows a special worksheet to gain access to the operating system by issuing shell commands. This includes deleting files and reading files. There are no macros involved, thus no warning is issued before the file is run.

What makes this particularly frightening is that a malicious web page may have incorporated running an Excel file as part of the <IFRAME SRC="filename.XLS"> ... </IFRAME> tag which is supported by the Internet Explorer web browser. When such a web page is opened, Excel is started and the file is opened without no warning whatsoever. There seem to be no way to configure Internet Explorer to avoid this.

Microsoft has made a tool which warns a user before any Office 97 document is launched. This tool, together with a small article which describes the vulnerability are available from this link.

A similar tool, provided as freeware by Jimmy Guse, may be downloaded from NTBugtraq's web site here. This seems to be more flexible than Microsoft's and includes source code.

This vulnerability was originally discovered and reported by Juan Carlos Garcia Cuartango. His web site discusses other vulnerabilities he had discovered as well.

According to Microsoft users of Office 2000 are not affected by this vulnerability as Office 2000 installs ODBCJT32.DLL 4.0 by default.

As mentioned above, a special fix for this problem is expected from Microsoft in week 33. A weekly Norman security info at a later time may address this.

Per Olav Førland