IE 4/Office 97 Security Hole

From: Marvin <>
Date: Thu Jan 21 15:02:09 1999

I just heard of a vulnerability of people using IE 4 and Office 97. It
checks out at the MS site, and am just passing it along (although I realize
it is OT.)

> ~~~~~~~~~~~~~~~
> Listen up, people. This is serious. Probably the most
> important article that's ever appeared in Woody's Office
> Watch.
> WOWser DavidF wrote to me last week with a masterful,
> amazing hack that exploits the largest Office security hole
> I've ever seen. No, I'm not going to tell you the details
> of how the security hole works (Microsoft will give some
> broad info) - and I sure as hell hope nobody else drops
> enough hints to teach some %$#_at_! idiot malware writer how
> to do it. But I will tell you what it does. If you have
> Office installed, and you use Internet Explorer to view an
> infected Web page, that page - without your knowledge, or
> any action on your part - can wreak havoc on your system.
> It can drop a virus, delete a folder, scramble data, send
> your tax files to Timbuktu... anything. Similarly, if you
> use Outlook 98 or later to view an infected HTML message,
> that message - with no action on your part - can do
> anything to your system.
> Anti-virus legend Dr. Vesselin Bontchev confirmed DavidF's
> report by showing me an HTML file that exploits the
> security hole. It's... scary. It's way too easy to
> exploit, unlike some more obscure security problems you
> don't have to be a 'rocket scientist' to spread trouble.
> For that reason, WOW has decided to be quick about warning
> our readers to get the protective patch before examples of
> this spread 'in the wild'.
> DavidF told me, "I'm a bit surprised this isn't more widely
> known. I notified the IE team of it long ago..." As in the
> past WOW has been able to bypass Microsoft's bureaucracy
> and quickly get the details to the people who matter. Once
> we passed along David's news to the right levels inside
> Microsoft, the offal hit the impellers, a team has been
> working day and night for the last few days to find a fix.
> Microsoft will be posting that fix in the next few hours.
> That's why we held off on sending WOW to you this week - to
> make sure the fix was ready and that it works. It does.
> Let me make this really clear. Every single Office user who
> also uses Internet Explorer or Outlook 98 or later, MUST
> INSTALL THIS PATCH. It's only a matter of time before some
> %$#_at_! cretin figures out how to exploit this hole. You -
> and everyone you know - needs protection NOW.
> There's actually TWO security patches out today. We're
> particularly concerned with the Word 97 Template patch, but
> you should get the Forms 2.0 patch as well. More info on
> both problems below.
> Microsoft Security Bulletin:
> Office Update Download Page:
> Office Update Download Page:
> Microsoft Security Bulletin:
> Please. Take a few seconds to forward this article to
> everyone you know who doesn't subscribe to WOW. Urge them
> in no uncertain terms to get the patches, and apply them
> immediately.
>Don Cooley / San Jose CA / . Go to
> to join the Prostate-Help Mailing List,
>subscribe to the Newsletter, find my cancer story and family
>history. To discuss our prostate cancer call me at 408-268-6400
Received on Thu Jan 21 1999 - 15:02:09 GMT

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:32:07 BST