A serious flaw has been found in the Jet 3.51 data access software of the Office 97 suite from Microsoft. These applications currently are being used in millions of computers in schools and other organizations from coast to coast. In spite of the significant danger, a solution is readily available, computer security experts say.
The Jet 3.51 vulnerability would allow an attacker to create a malicious .xls or .doc file, according to computer security specialists. When opened, this file could execute arbitrary commands on a school district’s computer system.
Such a malicious file could be distributed via eMail, from the web (including in hidden frames), or by any number of other methods, according to the web site Security-Focus.com. The file could give hackers a security hole to retrieve, alter, or erase computer data. According to Security-Focus.com, a solution is available: “MDAC 2.1 includes the JET 4.0 driver, which is not affected by this vulnerability. It is available for download” at no charge from the Microsoft web site.
Attempts to exploit the security hole in Jet 3.51 would not be detected or prevented by antivirus software, according to Russ Cooper, a computer security expert in Lindsay, Ontario; but as of July 31, he said in an interview with Associated Press (AP), there had been no reports that any such breaches actually had occurred.
Andrew Dixon, group product manager for Office, did not return AP’s call for comment, and other knowledgeable Microsoft officials also were unavailable, company spokesman Dan Leach told the wire service.
Jeffrey Schiller, computer security chief at the Massachusetts Institute of Technology, said the data-access problem illustrates the pitfalls of upgrading programs over the web or through eMail, despite the convenience.
“It’s not clear to me that it’s a wise idea to write all these scripting files . . . that let you completely control the computer,” Schiller said.
Now that the flaws are known, recreational hackers and criminals might well be scrambling to take advantage of them before the fixes are in place, he warned.
Viruses typically have spread through macros (small programs combining a series of commands). A computer user opening eMail or importing material from a web site with macros typically is alerted and may disable the macros or reject documents and files that contain them.
The Jet 3.51 vulnerability is different.
Late in July, Juan Carlos Cuartango, a programmer who previously found security gaps in Microsoft’s Internet Explorer and in Netscape Navigator, discovered that Internet Explorer and Windows are configured to “trust” Word, Excel, Powerpoint, and other Office program documents. Thus, files from these applications may be used as “trojan horses” to implant malicious code into a computer, triggering low-level operating system commands that could change or destroy files or even undermine an entire hard drive without resorting to macros.
“This is a bug that needs to be fixed, a bug of huge proportions,” Cooper said, referring to the Jet 3.51 vulnerability. “The ramifications are quite large.”
Office 2000 and some of the final versions of Office 97 are free from the flaw, but it is present in millions of installed versions of Office 97 and probably also in many older versions, possibly dating as far back as 1992, Cooper said.
A member of Microsoft’s security response team confirmed the security hole in a posting to NTBugTraq on July 29, according to the internet news service CNET News: “The company said the ‘vulnerability should be taken seriously’ and recommends that all customers upgrade to Jet 4.0.”
CNET News also offered this method for checking the vulnerability of your PCs:
“Using the Windows ‘Find’ command, search for a file named ‘ODBCJT32.DLL.’ Using the right mouse button, click on the file, then select the ‘Properties’ tab. Click on the ‘Version’ tab to check the version number of the file. If it is a version prior to 4.0, it should be updated. The new version of the drivers are contained in a file called Microsoft Data Access Components version 2.1, available from Microsoft’s web site.”
Universal Data Access (MDAC) Download Page
NTBugTraq home page
Microsoft Jet 3.5