In our Security information for week 31 the vulnerability in MS Office 97's Jet database driver was discussed.

This is a vulnerability which enables an operating system command to be embedded in a database query. The vulnerability would allow any document, spreadsheet or database to do almost anything on the affected computer. As this is not a macro in the file, users will not be prompted before the action is performed. 

The malicious file may even be on a web site. If a malicious web page hosting such a file is opened in Internet Explorer, the file is opened without asking the user for any confirmation.

According to Microsoft all versions of MS Office prior to Office 2000 are affected to this vulnerability. Other Microsoft products as well as several third party applications also use the Jet driver. Whether these third party applications are exploitable to the vulnerability depend on the application itself.

Microsoft has now released a patch which eliminates this problem.

Source code which exploits the vulnerability is reported to be available on the Internet, and the risk to be affected if one continues to use Office without installing the patch is definitely real.  We therefore recommend that the patch is installed.

This patch also corrects another vulnerability in the Jet driver which affects all versions of MS Office (including Office 2000). This vulnerability enables modifying text files - including system files.

According to Microsoft, the patch's installation program finds out which version of the Jet driver which is installed and applies the correct patch.

More information about these vulnerabilities may be obtained here:

• Microsoft's Security Bulletin about this vulnerability.
• Microsoft's Frequently Asked Questions about this vulnerability.
• Microsoft's patch to correct the vulnerabilities

Per Olav Førland