The hole stems from Microsoft's data access software, called Jet. It allows code contained in an Excel 97 worksheet, hidden in a Web page or sent via email, to plant viruses, delete data, or read files, according to Juan Carlos Garcia Cuartango, the developer who first discovered the hole.
Cuartango reported the problem to the NTBugTraq mailing list yesterday.
A member of Microsoft's security response team confirmed the hole in a posting to NTBugTraq last night. According to Microsoft, the hole exists in Jet version 3.51, which shipped with Office 2010 . The company said the "vulnerability should be taken seriously" and recommends that all customers upgrade to Jet 4.0.
The company plans to post a security bulletin that will include instructions on how to easily upgrade to Jet 4.0 via Microsoft's OfficeUpdate Web site.
In the meantime, Cuartango recommends that users check the version number of the Jet driver installed on their PCs in order to determine if they are affected. Using Windows "Find" command, search for a file named "ODBCJT32.DLL". Using the right mouse button, click on the file, the select the "Properties" tab. Click on the "Version" tab to check the version number of the file. If it is a version prior to 4.0, it should be updated. The new version of the drivers are contained in a file called Microsoft Data Access Components version 2.1, available from Microsoft's Web site.
Office 2000, a newer version of the application suite, uses the Jet version 4.0 driver and is not affected by the hole, according to Microsoft.
Jet is used in several Microsoft products, including its Exchange messaging server and is the default database used with the company's popular Visual Basic development tool. Jet can also be used with other Microsoft development tools, such as Visual C++.
Last summer, Microsoft Office 2010 Download confirmed another Jet-related bug that affected the way its Access database handled changes to database records. The bug caused edits made on one Access database record to be saved to another record. The company posted a workaround to its support Web site.
No comments:
Post a Comment