Microsoft Security Bulletin MS00-051

Technical description:

A vulnerability has been discovered in REGISTER.ID, a worksheet function. When REGISTER.ID is invoked from an Excel worksheet, it can reference any DLL on the system. If the referenced DLL contains malicious code, harmful effects can occur. By design, there is no warning given to the user when REGISTER.ID calls a DLL from a worksheet.

In order for a malicious user to exploit this vulnerability the referenced (malicious) DLL would have to reside on the affected user's computer or on a machine accessible via a UNC path on the user's network.

What's this bulletin about?
Microsoft Security Bulletin MS00-051 announces the availability of a patch that eliminates a vulnerability in Microsoft® Excel 97 and Excel 2000. Microsoft is committed to protecting customers' information, and is providing this bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
A vulnerability has been discovered in Microsoft Excel 97 and Excel 2000. If an Excel worksheet containing the REGISTER.ID function references a malicious DLL (Dynamic Link Library) it can cause code to run on a user's computer without their knowledge. The code executed on the affected user's computer can perform any action that the user could perform on the machine.
In order for this vulnerability to be exploited, a malicious user would need to create a DLL and have it referenced from an Excel worksheet through REGISTER.ID. The malicious DLL must reside on the affected user's machine or be accessible through a UNC (Universal Naming Convention, \\<server>\<share>) path on the user's network.

What causes the vulnerability?
Because of an implementation error, the Microsoft Excel REGISTER.ID worksheet function enables any DLL to be referenced from a worksheet without warning to the user. When a user opens a malicious worksheet that contains the REGISTER.ID function, the worksheet can invoke the function to reference a malicious DLL in any location that is accessible by the affected user.

What is the REGISTER.ID function?
REGISTER.ID is a worksheet function included in Microsoft Excel. The function returns the register ID (internal value mapped to the DLL) of a DLL or code resource that has been previously registered. If the DLL or code resource has not been registered, this function registers the DLL or code resource and then returns the register ID.
The function is invoked like other functions such as SUM, AVERAGE, COUNT, etc., from an Excel worksheet.

What is a malicious DLL?
A malicious DLL is a dynamic link library that is not part of the standard Microsoft Office or Windows Operating System installation. A developer would need to create and compile a malicious DLL.

What's wrong with the REGISTER.ID function?
REGISTER.ID allows a DLL to run without warning to the user. The patch provided eliminates the use of this function within any worksheet.

Why does REGISTER.ID allow code to be launched?
By design, the REGISTER.ID worksheet function is used for referencing DLL's and procedures (or functions) within a DLL. The vulnerability at issue is the ability for a malicious user to create a DLL that is accessible by the user and that can be referenced through REGISTER.ID.

Can the REGISTER.ID function be used through VBA (Visual Basic for Applications) macro language?
Yes. However, Excel gives you the ability to choose whether you want to open a workbook that contains macros and allows you to disable them. This protection mechanism does not prevent workbook containing the REGISTER.ID function from invoking a DLL.

Who could exploit this vulnerability?
Anyone who could develop a malicious DLL and have it referenced from an Excel worksheet (with the REGISTER.ID function) could exploit this vulnerability. IN order to exploit the vulnerability, the malicious user would need to place the offending DLL onto the user's local computer or on a network share that was accessible from the user's network.

Who should use the patch?
Microsoft recommends that all users who could potentially be affected install the patch.

What does the patch do?
The patch eliminates the vulnerability by disabling the REGISTER.ID function from all Excel worksheets.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?
Microsoft Knowledge Base (KB) articles, Q269252 (Excel 2000) and Q269263 (Excel 97) contains detailed instructions for applying the patch.

How can I tell if I installed the patch correctly?
Knowledge Base articles, Q269252 (Excel 2000) and Q269263 (Excel 97) provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued Knowledge Base articles, Q269252 (Excel 2000) and Q269263 (Excel 97) explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

• Microsoft Excel 2000:

  http://office.microsoft.com/downloads/2000/xl9p3pkg.aspx

• Microsoft Excel 97:

  http://office.microsoft.com/downloads/9798/xl8p10pkg.aspx