Well it seems some people still believe in security through obscurity. Three weeks after the vulnerability was announced the people with the knowledge of the details have not disclosed further information (hi Russ). Now that same people are asking whether the information should be disclosed at all (and trying to get some nice publicity out of it). Well guess what? An exploit is been around for quite a while now. We've had an exploit in the SF vulnerability database for some time now. We refer to this vulnerability as BUGTRAQ-ID 548 "Microsoft JET ODBC Vulnerability". The exploit, originally by BrootFoce, is an Excel file that starts an FTP session to download a file and launches Regedit when opened. Please note that for the exploit to work the file C:\CONFIG.SYS must exists. This is an arbitrary file. Any other file will do. Now without knowing the full details of the vulnerability we can only guess that this exploit exercises the same vulnerability. Maybe the people in the known will enlighten us? Now what does this teach us? That trying to keep the details of a vulnerability secret while at the same time announcing it existence does not work. If you are going to announce a vulnerability, provide all the details. Otherwise keep the vulnerability to yourself. BUGTRAQ and Security Focus will always be committed to full disclosure. Your mileage may vary with others. Visit the vulnerability database to download the Excel file exploit. http://www.securityfocus.com/level2/?go=vulnerabilities&id=548 -- Elias Levy Security Focus http://www.securityfocus.com/
