Excel 97 CALL Function Patch
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Published December 1998
The Excel 97 CALL Function Patch addresses vulnerability in Excel 97 that can occur when the CALL function is used in worksheets. The CALL function calls procedures from dynamic link libraries (DLLs) that are external to a worksheet. This is a legitimate Excel function; however, it is possible that the CALL function could call a DLL that is external to the worksheet without warning the user, and this DLL could be used for malicious purposes.
The CALL function can be used in macros or as a worksheet function. Currently, Excel alerts the user before running a macro, including those macros that contain the CALL function, and thereby allowing the user to decide whether to run the macro. However, no similar warning appears before a worksheet function is calculated, so an external DLL could be called and run without the user knowing about it. Because the CALL function only references DLLs external to the worksheet, the malicious code would have to exist on a user's system or network.
Note: There have been no reports of this happening. Microsoft is proactively trying to eliminate implied risks with this patch.
Before You Install This Patch:
To use the Excel 97 CALL Function Patch, you must be running Excel 97 Service Release 2 (SR-2). To verify which version of Excel you are running, click About Microsoft Excel on the Excel Help menu. You should see Microsoft Excel 97 SR-2 as your version of Excel. If the version you are running is not Microsoft Excel 97 SR-2, please see the TechNet article, MS Office 97 Service Release 2, for installation instructions. Excel 97 SR-2 is included in Office 97 SR-2.
What Users Should Do
The patch disables the CALL function on worksheets only, not in macros. You should assess whether your worksheets are at risk and then decide if you need the patch. Microsoft recommends that you install the patch if you do not normally need to call DLLs from worksheet functions. This patch is fully supported by Microsoft.
For More Information
You can find more information on the patch and on possible risks from using the CALL function in worksheets in the Microsoft Knowledge Base article 196791, and in the Microsoft Security Bulletin MS98-018.
On This Page
You may want to print this page as a reference when you are off-line.
Ensure that you have installed the Office 97 SR-2 Patch. (Confirm this in Excel by clicking the About Microsoft Excel command on the Help menu. You should see Microsoft Excel 97 SR-2 as your version of Excel.)
Close any open Windows applications.
Do one of the following:
If you have only Excel 97 on your machine run xl8p4pkg.exe and accept the default installation location.
If you have a beta version of Office 2000 on the same machine as Excel 97 follow instructions 5-8.
Run xl8p4pkg.exe. Click yes to all the boxes except the last one, which is the installation location.
Note the location where you save the file.
Click Start then select Run.
Type in the following:
c:\temp\xl8p4.exe /p "c:\program files\microsoft office\office\excel.exe"
Where c:\temp\ is the location where the patch has been saved and c:\program files\microsoft office\office\excel.exe is the location of Excel 97 SR-2.
Instructions for use:
During the installation of this software, a dialog will display the prompt: "Patch installed successfully. Do you want to run the patch now?" You should answer Yes if you want to run the patch to update your copy of Excel. If you answer No, then you will need to run the patch later from the location you specified in this setup program, in order to patch your copy of Excel.
There is no Uninstall feature included with this download.
For support of this patch:
If you are experiencing problems with this patch, please review our Support Page for assistance at http://www.microsoft.com/downloads/details.aspx?FamilyID=8DEE9E59-23DC-46FC-8FC1-7B680B7E9D13&displaylang=EN
For administrators who need additional technical information about the patch, please see the Microsoft Knowledge Base article 196791.
©1998 Microsoft Corporation