AUSCERT External Security Bulletin Redistribution
           ESB-1999.158 -- Microsoft Security Bulletin (MS99-044)
               Patch Available for "Excel SYLK" Vulnerability
                               21 October 1999


Microsoft Corporation has released the following security bulletin
concerning two vulnerabilities in the secure handling of macros by MS Excel 
97 and Excel 2000.  The primary vulnerability is the "Excel SYLK" 
vulnerability which allows macros to execute, bypassing the macro warning 
mechanism provided by Excel, if such macros are stored in "Symbolic Link" 
(SYLK) format files. 

(Please Note: Symbolic Link (SYLK) format refers to an ASCII-based text file 
storage format used for the sharing of documents between applications with
no other higher-level file exchange format.  They and have nothing to do 
with UNIX Symbolic links (symlinks))

The secondary vulnerability exists in the way that Excel 97 handles macros 
embedded in documents imported from third-party products like Quatro Pro and 
Lotus 1-2-3.  Excel 97 runs macros stored in some third party documents 
without warning the user when the document is opened.  The vulnerability 
does not appear to exist in Excel 2000 and does not represent a vulnerability 
in Quatro Pro nor Lotus 1-2-3.  It refers only to Excel 97's handling of 
embedded macros in documents imported from third-party products.

These vulnerabilities may allow a remote user to execute any user 
command on a system where an Excel document with a malicious macro is
opened.  Macro commands executed may include creating, deleting or modifying 
data files, reformatting the hard drive, or copying data to or from a web 

Microsoft have issued a patch with corrects both vulnerabilities:



This security bulletin is provided as a service to AusCERT's members.
As AusCERT did not write the document referenced above, AusCERT has
had no control over its content.  The decision to use any or all
of this information is the responsibility of each user or organisation,
and should be done so in accordance with site policies and procedures.

If you have any questions or need further information, please contact 
Microsoft Corporation directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key