A security expert has unearthed another gaping hole in Microsoft Office and Internet Explorer.
Juan Carlos G. Cuartango, who has previously exposed several serious security holes in Microsoft Internet Explorer and Netscape Navigator, says the breach allows an e-mail message or web page to execute an arbitrary command on the user’s system.
The hole is present on any Windows or NT system containing Version 3.51 of Microsoft’s “Jet” database engine. The vulnerable version of the engine was shipped with Microsoft Office 97. It may also have been included with other Microsoft products and development tools, or with third party applications.
The security hole does not require macros but rather database queries which trigger the execution of commands on the user’s computer system. An unauthorized query can occur in a spreadsheet formula, a field in a word processor document, or a data file used by a database-enabled application. Virus scanners which look for dangerous macro viruses do not look for such queries and therefore do not prevent the hole from being exploited.
According to Cuartango, the vulnerability is especially dangerous because it can be exploited remotely via the Internet. If a user with the vulnerable database engine is running Microsoft Internet Explorer and visits a Web page with an embedded Office document (such as an Excel spreadsheet), viewing the document will allow arbitrary commands to be executed on that user’s system. “If you visit (the) page,” says Cuartango, “you are dead.”
Microsoft acknowledged the presence of the bug and urged users to take action. To remove the vulnerability, download and install the latest version of the Microsoft Data Access Components, available from www.microsoft.com/data/.
Further details are contained in the story posted at www.zdnn.com.