Bugtraq mailing list archives
Microsoft JET/Office Vulnerability Exploit
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Wed, 18 Aug 1999 12:26:28 -0700
Well it seems some people still believe in security through obscurity. Three weeks after the vulnerability was announced the people with the knowledge of the details have not disclosed further information (hi Russ). Now that same people are asking whether the information should be disclosed at all (and trying to get some nice publicity out of it). Well guess what? An exploit is been around for quite a while now. We've had an exploit in the SF vulnerability database for some time now. We refer to this vulnerability as BUGTRAQ-ID 548 "Microsoft JET ODBC Vulnerability". The exploit, originally by BrootFoce, is an Excel file that starts an FTP session to download a file and launches Regedit when opened. Please note that for the exploit to work the file C:\CONFIG.SYS must exists. This is an arbitrary file. Any other file will do. Now without knowing the full details of the vulnerability we can only guess that this exploit exercises the same vulnerability. Maybe the people in the known will enlighten us? Now what does this teach us? That trying to keep the details of a vulnerability secret while at the same time announcing it existence does not work. If you are going to announce a vulnerability, provide all the details. Otherwise keep the vulnerability to yourself. BUGTRAQ and Security Focus will always be committed to full disclosure. Your mileage may vary with others. Visit the vulnerability database to download the Excel file exploit. http://www.securityfocus.com/level2/?go=vulnerabilities&id=548 -- Elias Levy Security Focus http://www.securityfocus.com/
Current thread:
- Microsoft JET/Office Vulnerability Exploit Elias Levy (Aug 18)
- Re: Microsoft JET/Office Vulnerability Exploit Ben Greenbaum (Aug 18)
- Jet 3.51 Vul / Office 97 hexedit () POREIA COM (Aug 18)
- <Possible follow-ups>
- Re: Microsoft JET/Office Vulnerability Exploit Russ (Aug 18)
- Re: Microsoft JET/Office Vulnerability Exploit Elias Levy (Aug 18)
- Administrivia Elias Levy (Aug 18)
- Microsoft JET/Office Vulnerability Exploit Ollie Whitehouse (Aug 19)
- Re: Microsoft JET/Office Vulnerability Exploit Russ (Aug 19)