Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-030)
What's this bulletin about?
Microsoft Security Bulletin MS99-030 announces the availability of a patch that eliminates two vulnerabilities in the Microsoft® Jet database engine. The vulnerabilities could allow a database query to take virtually any action on a user's computer. Jet is used by Office and other Microsoft products, and this vulnerability may affect many of them as well. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerabilities and what they can do about them.
Why was this bulletin updated?
Since releasing the original version of the patch, Microsoft has been made aware of an additional variant of one of the vulnerabilities, the "Text I-ISAM" vulnerability. Although less serious than the original vulnerability, we are releasing an updated patch in order to allow customers to fully protect themselves against all known vulnerabilities. Details on the new variant are discussed below in "What is the new vulnerability?"
What is Jet?
Jet is a database engine. It implements basic database functions, like the ability to store data in an organized fashion, to add, modify or delete data, search the data, etc. By implementing all of the basic database functions in a stand-alone package, any application that needs to provide database functionality can simply use Jet. This saves development time, enables interoperability, and provides a consistent framework for using database functions.
Because of Jet's versatility, it is used by a large number of applications. For example, it is used by Microsoft products like Excel and Access, it ships as part of Visual Studio, and is used by a large number of third-party products.
What's the scope of the vulnerabilities?
The originally reported vulnerabilities could allow a database query to take virtually any action on the computer of a user who ran it. This could include adding, deleting or modifying files; reformatting the user's hard drive; copying information to or from a web site; or taking virtually any other action that the person who developed the query wished. The newly-discovered variant would allow a database query to delete files on the user's computer.
Jet is used by many applications, and the ease or difficulty of exploiting these vulnerabilities would depend on the application that a malicious user chose to use for his or her attack. Some applications lend themselves more readily to attacks via these vulnerabilities, while others make it difficult or impossible. However, Office documents are likely to be the most common method of attack via these vulnerabilities, as discussed in greater detail below.
A malicious user could not attack you simply by executing a database query on his or her own machine. Instead, they would need to get you to execute the query on your machine. Unfortunately, there are a large number of ways to do this, including sending an affected file to you as an e-mail attachment or hosting an affected Office document on a web site, and there are a large number of applications that use Jet.
Is this the same issue that was referred to as the "Excel97 ODBC Vulnerability"?
Yes. However, this name is a misnomer. The vulnerabilities actually have nothing to do with ODBC, and they affect more products than just Excel97. However, this is how the issue initially was reported, and so we are continuing to refer to the overall issue as the "ODBC Vulnerability" for familiarity.
The problem could affect any application that uses the Jet database engine. All applications in the Office97 and Office2000 suites are known to be affected by at least one of these vulnerabilities. Other applications that use Jet may be affected as well, and we recommend that all customers apply the patch to ensure that they are protected.
If these vulnerabilities apply to any application that uses Jet, why is this being discussed primarily with regard to Office?
Microsoft has focused on the threat that these vulnerabilities pose to Office users for three reasons:
| • | Scenarios for exploiting these vulnerabilities via Office are publicly known. Microsoft has not confirmed a method of exploiting either vulnerability through other applications. |
| • | A malicious user who wanted to target as many people as possible might choose to do so via an Office document that exploits the vulnerability, simply because there are more users of Office than there are of the other affected applications. |
| • | The vulnerability can be exploited via Office documents that are hosted on web pages. |
What's the threat from web-hosted Office documents?
If an Office document is hosted on a web page, Internet Explorer will open the document without asking for confirmation. This is by design and is known as Document Object Hosting. (This ability is not exclusive to Office; other applications that choose to can register to perform Document Object Hosting). The threat that this poses is that a malicious web site operator could host an Office document that contains a database query that takes some destructive action via these vulnerabilities. A person could be attacked through these vulnerabilities simply by visiting the web page.
As part of the patch, Microsoft is providing a tool that allows customers to disable Document Object Hosting for Office documents. The tool will cause Internet Explorer to always request confirmation before opening a web-hosted Office document. Please note that if you've applied the patch, it's not necessary to disable Document Object Hosting, as the patch eliminates the vulnerabilities in Office and prevents attacks, even from web-hosted Office documents.
What other applications use Jet? How are they affected?
In addition to being used by Office, Jet is used by several other Microsoft products, including but not limited to:
| • | Microsoft Visual Studio |
| • | Microsoft Project |
| • | Microsoft Publisher |
| • | Microsoft Streets & Trips |
For a complete listing of Microsoft products that use Jet, consult Microsoft Knowledge Base article 141796. Jet also is used by many third-party products. It's impossible to provide a listing of these products, because Jet is freely available for use by third parties.
Because the vulnerabilities lie in the Jet engine, they could in theory be exploited via any application that uses Jet. However, in practice, the difficulty of exploiting these vulnerabilities would vary significantly from application to application. Although Microsoft has not confirmed a method of exploiting the vulnerabilities via any product but Office, we recommend that all customers who have Jet installed on their computers apply the patch as a precautionary measure.
I heard that Exchange is not affected by these vulnerabilities even though it uses Jet? Is this true?
Yes. For product-specific reasons, Microsoft Exchange Server® is unaffected by these vulnerabilities even though it does use Jet.
What are the vulnerabilities?
There are two vulnerabilities. The first is the "VBA Shell" vulnerability, which affects Jet 3.52 and previous versions. Database queries in Jet can contain operating system commands; when the query is processed, the command is executed and the results are used in the rest of the query. This can be used for legitimate purposes. For example, a database query might request the current time from the operating system, then search for all records that are more than an hour old. The vulnerability results because any operating system command can be used, even ones that cause a potentially destructive action to be taken. For example, a database query could contain a command to reformat the hard drive. When the query was processed, the command would be executed.
The second vulnerability is the "Text I-ISAM" vulnerability, which affects all versions of Jet. Jet provides a feature, known as Text I-ISAM, that would allow a database query to write to a text file. This is useful when a Jet application is used in conjunction with another application that doesn't allow dynamic data exchange; the Jet application writes its results to a file and the other application reads the information and uses it. The vulnerability results because Jet database queries can write to any text file, including system files. A database query could be used to write invalid or even destructive information into a system file.
What is the new vulnerability?
Since releasing the original security bulletin in August, Microsoft has learned of an additional variant of the "Text I-ISAM" vulnerability. Even after applying the original patch, it would be possible for a malicious user to embed a "drop table" command in an Excel query and cause files on the user's computer to be deleted. It would not allow files to be created or modified, so the risk from this new variant is lower than that of the original vulnerability.
How does the patch eliminate the "VBA Shell" vulnerability?
The patch eliminates the "VBA Shell" vulnerability by creating a mode called "sandbox mode". When Jet is in "sandbox mode", it restricts what operating system commands can be included in database queries. For example, commands that simply report information are still allowed, but commands that could be used to take malicious action on the computer are not.
"Sandbox mode" has always been available in Jet 4.0, and the patch makes it available in previous versions of Jet as well. In addition, the patch makes "sandbox mode" significantly more flexible. As originally implemented in Jet 4.0, "sandbox mode" was disabled for Microsoft Access2000 (to ensure backwards compatibility), enabled for all other applications, and the user could not change this. The patch allows the user to change whether "sandbox mode" is enabled or disabled, and allows it to be toggled separately for Access. The patch provides this additional flexibility to all versions of Jet, including Jet 4.0.
For more information on "sandbox mode", see Microsoft Knowledge Base articles 239482 and 239104.
How does the patch eliminate the "Text I-ISAM" vulnerability?
The patch eliminates the "Text I-ISAM" vulnerability by specifying a list of file types that Jet database queries may not write to. This list is configurable, and users can change which file types are on this list. For more information on this feature, see Microsoft Knowledge Base articles 239471 and 239105.
How does the patch eliminate the new variant of the "Text I-ISAM" vulnerability?
The patch extends the original patch to also prevent the new variant.
Does the patch include anything else?
In addition to eliminating the two vulnerabilities, the patch also includes the Office Document Open Confirmation tool, which can be used to disable Document Object Hosting for Office documents. After running it, Internet Explorer will request confirmation before opening any Office document that is hosted on a web site. Please note that this tool only disables Document Object Hosting for Office documents; other applications that may have registered to perform Document Object Hosting are not affected by this tool.
Where can I get the patch, and how do I apply it?
It's really easy. Just visit the Office Update site. There are pages there that discuss the vulnerabilities as they apply to Excel97 and Excel2000, and each page provides a link to the patch. The patch will determine what version of Jet is installed on your computer, and apply the right changes.
I previously applied the original version of the patch. Do I need to apply the new patch?
Yes. If you do not apply the new patch, you could be affected by the new variant of the "Text I-ISAM" vulnerability.
I didn't apply the original version of the patch. Do I need to apply it before I can apply this one?
No. The new patch protects against the original vulnerabilities, plus the new variant. If you didn't previously apply the patch, you only need to apply the new version.
I am using Jet, but not Office. Do I need to apply the new version of the patch?
Yes. As in the original vulnerability, the root problem in the new variant of the "Text I-ISAM" vulnerability lies in the Jet database engine. If you are using Jet, you could be affected by this vulnerability, even if you are not using Office.
I previously ran the Office Document Open Confirmation tool. Do I need to run it again?
No. You only need to run the tool once to require confirmation when opening web-hosted Office documents. If you've already run it, you don't need to run it again after applying the updated patch.
I don't have Office, but I do have another affected product. Where can I get the patch?
You don't need to have Office in order to get the patch from the Office Update site. Just visit the site, and it will determine what, if any, patch needs to be applied. You can apply the patch from either the Excel97 or Excel2000 page-the patch is exactly the same no matter what page you download it from.
I have a non-English version of Office and Windows. Can I apply the patch?
Yes. The patch is fully localized, so it will work with any language pack.
I have more than one affected product. What should I do?
Visit the Office Update site. It will detect all of the copies of Jet that installed, even if they're different versions, and apply the right patches. You can apply the patch from either the Excel97 or Excel2000 page-the patch is exactly the same no matter what page you download it from.
I don't know whether I have an affected product. What should I do?
Visit the Office Update site. If you don't have an affected product, the site will tell you. If you do have one, it will apply the patch. You can apply the patch from either the Excel97 or Excel2000 page-the patch is exactly the same no matter what page you download it from.
I want to install the patch myself. Can I do this?
Yes, but it's easier to let Office Update do it automatically. To determine what patch to apply, you'll need to know what version of Jet you have. Use the table below to determine the version and the recommended action. Wherever there is an "x" in the version number below, it means that any number may be here.
| If you have this file on your computer. . . | And the version number is. . . | Your version of Jet is. . . | Recommended action |
MSAJT110.DLL | 1.10.xxxx | Jet 1.1 | This version is no longer supported |
MSAJT200.DLL | 2.00.xxxx | Jet 2.0 | This version is no longer supported |
MSAJT200.DLL | 2.50.xxxx | Jet 2.5 | This version is no longer supported |
MSJT3032.DLL | 3.000.xxxx | Jet 3.0 | This version is no longer supported |
MSJET35.DLL | 3.50.xxxx.x | Jet 3.5 | Upgrade to Jet version 3.51.632 by installing Office97 Service Release 2, then apply Jet 3.5x Service Pack 3 |
MSJET35.DLL | 3.51.xxxx.x | Jet 3.51 | Upgrade to Jet version 3.51.632 by installing Office97 Service Release 2, then apply Jet 3.5x Service Pack 3 |
MSJET35.DLL | 3.52.xxxx.x | Jet 3.52 | Apply Jet 3.5x Service Pack 3 |
MSJET40.DLL | 4.0.xxxx.x | Jet 4.0 | Apply the latest Jet 4.0 Service Pack |
How can I verify that the patch installed correctly?
Knowledge Base article 239114 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
I'm a system administrator and would like to deploy the patch via SMS. Can I do this?
Yes. The readme file that's included in the patch downloadable from the Office Update site contains instructions for doing a "silent install" via SMS. You'll need to extract the readme file from the patch in order to read it. There are two ways to do this:
| • | To extract the files via the GUI, save the patch to your computer, then right-click on the patch icon and select "Extract". |
| • | To extract the files via the command line, save the patch to your computer, then execute it using the /t and /c options. (For a complete list of command-line options, execute the patch using the /? option) |
What is Microsoft doing about this issue?
| • | Microsoft has developed an updated patch that eliminates all known vulnerabilities. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
