-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen                                Index  :    S-99-30
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Microsoft ODBC problem in Jet               Date   :  31-Aug-99
===============================================================================

By courtesy of CIAC and Microsoft we received information on a vulnerability
in ODBC. Note that this is not the same problem as described in S-99-21.

______________________________________________________________________________
PROBLEM:        Microsoft has identified two vulnerabilities in Jet, a data-
                base engine used by Microsoft products.  The vulnerabilities
                are in "VBS Shell" and "Txt I-ISAM".
PLATFORM:       Microsoft Office97 and Office2000 applications that use Jet.
DAMAGE:         "VBS Shell" vulnerability - system commands could be embedded
                within a database query which can be executed with the query
                is processed.
                "Txt I-ISAM" vulnerability - a malicious user could modify
                system files via a database query.
SOLUTION:       Install the patch.
______________________________________________________________________________
VULNERABILITY   Risk is high if you are still running one of the affected
ASSESSMENT:     applications.  The exploits are publicly know.  Attacks could
                occur simply by visiting a malicious user's web site.
______________________________________________________________________________

[  Start Microsoft Bulletin  ]

Microsoft Security Bulletin (MS99-030)
======================================

Patch Available for Office "ODBC Vulnerabilities"
Originally Posted: August 20, 1999

Summary
- - -------
Microsoft has released a patch that eliminates security vulnerabilities in
the Microsoft(r) Jet database engine. The vulnerabilities could affect any
application that runs atop Jet, and could allow a database query to take
virtually any action on a user's computer. Microsoft recommends that all
customers who are running applications that use Jet, especially users of
Microsoft Office97 and Office2000, install the patch.

Additional information and frequently asked questions regarding this
vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-030faq.asp

Issue
- - -----
Jet is a database engine used by Microsoft products such as Microsoft
Office97 and Office2000.  Two vulnerabilities exist in Jet:
 - The "VBA Shell" vulnerability, which affects all versions of Jet
   except Jet 4.0. An operating system command embedded within a
   database query could be executed when the query is processed.
   This would allow a spreadsheet, database, or other application
   file that contained such a query to take virtually any action on
   the user's computer when the query was executed.
 - The "Text I-ISAM" vulnerability, which affects all versions of Jet.
   Jet provides a way to modify the contents of text files, as a means of
   allowing data exchange between it and other systems. However, a
   malicious user could use this capability to modify system files via
   a database query.

Microsoft Office uses the Jet engine, and Office users are particularly at
risk from these vulnerabilities. (The "VBA Shell" vulnerability affects all
versions of Office prior to  Office2000, and also affects one member of the
Office2000 suite, Access2000. The "Text I-ISAM" vulnerability affects all
versions of Office). The vulnerabilities are an especially serious threat
to Office users for three reasons:
 - Scenarios for exploiting these vulnerabilities via Office documents
   are publicly known.
 - The ubiquity of Office would make it an attractive target for
   mounting attacks via these vulnerabilities.
 - The ability of Office documents to perform Document Object Hosting
   would permit users to be attacked simply by visiting a malicious
   user's web site.

Microsoft Jet also is used by several other Microsoft products, as well as
many third party  applications. However, the ability to exploit this
vulnerability through these products is highly  dependent on the specific
application. Although Microsoft has not identified a means of exploiting
these vulnerabilities through any Microsoft products except Office, we
recommend that all customers who have Microsoft Jet installed on their
computer update it. This will ensure that they are protected against any
possible attacks that may be developed.

Affected Software Versions
==========================
 - Microsoft Jet, all versions

NOTE: Jet serves as the database engine for a number of Microsoft products,
including but not limited to:
 - Microsoft Office
 - Microsoft Visual Studio
 - Microsoft Publisher
 - Microsoft Streets & Trips

Jet also serves as the database engine for many third-party software
products. The patch does not require any change to any of the applications
that use Jet; instead, it operates directly on the Jet database engine and
restores proper functionality to it.

Patch Availability
==================
 - http://officeupdate.microsoft.com/articles/mdac_typ.htm

NOTE: A patch is available for Jet 3.5 and all subsequent versions. Older
versions of Jet are no longer supported, and we recommend that affected
customers upgrade to a supported version.

NOTE: The OfficeUpdate site automatically detects the version of Jet that is
installed on a machine, and applies the correct patch. The patch is
suitable for widespread deployment via Microsoft(r) Systems Management
Server(r). Users who wish to manually apply patches for specific versions
of Jet should consult the FAQ for information on how to do this.

More Information
================
Please see the following references for more information related to this
issue. Please note that  it may take 24 hours from the original posting of
this bulletin for all of the KB articles to be visible on the Microsoft web
site.
 - Microsoft Security Bulletin MS99-030: Frequently Asked Questions,
   http://www.microsoft.com/security/bulletins/MS99-030faq.asp.
 - Microsoft Knowledge Base (KB) article Q239114,
   ACC2000: Updated Version of Microsoft Jet 4.0 Available on MS,
   http://support.microsoft.com/support/kb/articles/q239/1/14.asp.
 - Microsoft Knowledge Base (KB) article Q172733,
   Updated Version of Microsoft Jet 3.5 Available on MSL,
   http://support.microsoft.com/support/kb/articles/q172/7/33.asp.
 - Microsoft Knowledge Base (KB) article Q239482,
   ACC2000: Jet 4.0 Expression can Execute Unsafe VBA Functions,
   http://support.microsoft.com/support/kb/articles/q239/4/82.asp.
 - Microsoft Knowledge Base (KB) article Q239104,
   Access97: Jet Expression can Execute Query with Unsafe VBA Functions,
   http://support.microsoft.com/support/kb/articles/q239/1/04.asp.
 - Microsoft Knowledge Base (KB) article Q239471,
   ACC2000: Text I-ISAM Allows Users to Append Lines Into System Files,
   http://support.microsoft.com/support/kb/articles/q239/4/71.asp.
 - Microsoft Knowledge Base (KB) article Q239105,
   ACC97: Text I-ISAM Allows Users to Append Lines Into System Files,
   http://support.microsoft.com/support/kb/articles/q239/1/05.asp.
 - Microsoft Knowledge Base (KB) article Q172733,
   Updated Version of Microsoft Jet 3.5 Available on MSL,
   http://support.microsoft.com/support/kb/articles/Q172/7/33.asp.
 - Microsoft KB article Q141796,
   How to Identify the Jet Database Engine Components,
   http://support.microsoft.com/support/kb/articles/Q141/7/96.asp.
 - Microsoft Security Advisor web site,
   http://www.microsoft.com/security/default.asp.

Acknowledgments
===============
Microsoft acknowledges Juan Carlos Cuartango of Spain for bringing this
issue to our attention.

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 52 87 92 82      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 52 87 92 82      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.

==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQCVAwUBN8ukZfE6s6q7Tf4RAQF0eAP/c02CGCKAfmDJyHaNpog3sXdVoZMnREJp
t6P2lsHQwKCeJndMGWY5nUvHmJlkLCcS5KhXHf8LHBn8lLJ15MDNxQ5crVmR7j1N
4IdXaHmUi9UWJ91XNkINI+6XYRVjvpRhg8SvqCgrqJtE2L7vNwOKo2W+OsgKyTI/
s+K+lsBJiCA=
=Wasi
-----END PGP SIGNATURE-----