August 20, 1999

Microsoft Discloses Flaws in Office 2000 Software

By SARA ROBINSON

AN FRANCISCO -- Three weeks after security holes were found in its Office 97 software, the Microsoft Corporation Thursday acknowledged similar vulnerabilities in the recently released successor, Office 2000, and in other programs.

Related Articles Software Makers Scramble to Address Security Flaw (August 3, 1999) Microsoft and Compaq Admit Vulnerability to Security Flaws (July 31, 1999) Security Flaw Is Discovered in Several Unix Programs (July 26, 1999) Companies That Ignore Online Security Are Risking Customers (May 3, 1999)

The company said it had known for several weeks about the Office 2000 flaw, which could allow data, software or hardware to be damaged via e-mail or commands sent from a malicious Web site. But it said it had chosen not to disclose the problem until a remedy was ready.

The Office 2000 flaw is not identical to the one in Office 97 and cannot be exploited in precisely the same way.

But as with the Office 97 flaw, an attack could be started using a software component called Jet to execute arbitrary commands hidden in an Office document.

Separately, Microsoft acknowledged today that there was a bug in its new Internet chat software, "MSN Messenger," that would allow co-workers and others who had access to a person's computer to see a person's E-mail password for Microsoft's Web-based "Hotmail" service. It promised to fix the flaw by week's end.

Microsoft security bulletins on the Office 97 flaw had explicitly said that Office 2000 users were not vulnerable.

Microsoft said it had been concerned about publicizing a security hole that it could not yet plug.

"Our policy is not to arm malicious coders until a solution is in place," said Andrew Dixon, group product manager for Office at Microsoft.

"We wanted to make sure that the information is there before we announced the vulnerability."

While the Jet component is most commonly associated with Office, it is also installed in conjunction with hundreds of other programs written by other companies for Microsoft operating systems, Dixon said.

The repair, or patch, which Microsoft said would be released by Friday, is intended to protect users against vulnerabilities in Office 97, Office 2000 or other programs using the Jet component.

Dixon said Microsoft would send a security bulletin disclosing the details of both problems to 1.5 million Office users as well as issuing articles with technical details of the problems.

The security bulletin and patch will also be posted on the Web at http://officeupdate.microsoft.com.

Juan Carlos Garcia Cuartango, an engineer in Spain, says he discovered both flaws late last month and immediately informed Microsoft.

While Cuartango decided to post a notice about the Office 97 flaw to an Internet mailing list, he did not publicly disclose the Office 2000 flaw until today, and Microsoft then acknowledged it.

"I decided to keep this confidential until the patch is published," he said today in an interview.

The flaws are particularly dangerous because Microsoft's Web browser ordinarily "trusts" documents from Microsoft Office programs like Word or Excel and opens them without warning the user.

Flaws that are particularly dangerous

Since the security flaws can be exploited from an Office document hidden in an e-mail message, a user reading e-mail on line can inadvertently unleash rogue programs or viruses.

Two weeks ago, Microsoft addressed the problem by making available a tool that configures the browser to alert the user before opening such documents.

It has taken the Office team several weeks to come up with a more fundamental solution because the company was concerned that non-Microsoft programs that use the Jet component might no longer work once the patch was installed.

"We wanted to make sure it didn't produce incompatibilities," Dixon said. "We wanted to make sure it's rock solid before introducing it this week."

The Jet component is represented by a Windows file named odbcjt32.dll. Since so many users are vulnerable, experts are advising Microsoft users to download the patch as soon as it is available and to exercise caution when opening unknown Word or Excel documents.