Microsoft backtracks, says flaw also in Office 2000
Reversing its earlier stance, Microsoft has acknowledged that a security hole found in its Office 97 application suite also affects its newer Office 2000 package.
The security flaw, first reported last month, is related to the company's data access software, called Jet, and is found in the company's Excel 97 program, a popular component of Office 97.
The hole allows code contained in an Excel 97 worksheet, hidden in a Web page or sent via email, to plant viruses, delete data, or read files, according to the programmer who discovered the problem, Juan Carlos Garcia Cuartango, an engineer in Spain. Cuartango posted a message about the flaw to the NTBugTraq mailing list and also notified Microsoft.
At the time, Microsoft officials said that the hole did not affect Office 2000, which uses a newer version of Jet.
Today, a Microsoft representative said that the company's programmers have found a similar vulnerability in Office 2000. According to Microsoft, the Office 2000 flaw is slightly different, but is also tied to Jet and can also be exploited via Excel to perform malicious acts. The flaw was first found by Cuartango and reported by the New York Times.
Microsoft is expected today to release both a bulletin detailing the security flaw and a software patch. The company recommends that all Office 2000, Office 97, Excel 2000, and Excel 97 users update their systems using the patch. Both will be available from Microsoft's Office Update Web site.
Due to the complexity in which Jet interacts with other Microsoft applications, security experts have said they would prefer that the company take the time to get a patch right before issuing a fix.
Jet is used in several Microsoft products, including its Exchange messaging server and is the default database used with the company's popular Visual Basic development tool. Jet can also be used with other Microsoft development tools, such as Visual C++. It is also used by third-party software providers.