Microsoft KB Archive/196791

= XL97: Update Available for Excel CALL Vulnerability =

Article ID: 196791

Article Last Modified on 1/9/2007

-

APPLIES TO


 * Microsoft Excel 97 Standard Edition

-



This article was previously published under Q196791



SUMMARY
Microsoft has released an update for Microsoft Excel 97 that fixes a vulnerability that could allow certain types of executables to be run without a warning to the user.

To correct this problem, download and install the latest update for Excel 97. The latest update includes this and all other Excel-specific updates that have been released since the latest service release (SR) of Office. The files included in this update will be included in any later SR or patch. To upgrade to the latest patch or for more information about the history of Excel 97 patches, please click the article number below to view the article in the Microsoft Knowledge Base:

232652 XL97: Overview and History of Excel Patches

A legitimate Excel function, CALL, allows executables to be run from a worksheet and could be used to run executables of a malicious nature. A fully supported update that disables this functionality is available. The update works by disabling the CALL function on a worksheet, but does not disable the CALL function from within macros. Microsoft recommends that customers who need the CALL worksheet function evaluate the degree of risk that it poses to their systems and determine whether the best course of action is to apply the update.

This update is designed to update Microsoft Excel 97 Service Release 2 (SR-2). Microsoft does not currently have plans to provide a solution for the CALL vulnerability issue for earlier versions of Microsoft Excel. Because earlier versions of Excel do not provide full macro virus protection, disabling only the CALL worksheet function would not provide a significant level of safety as the CALL function can also be used in a macro.



MORE INFORMATION
CALL is a legitimate, advanced function that calls an outside procedure in a dynamic-link library (DLL) or code resource. The DLL or code resource called could contain code to perform potentially damaging or malicious behavior.

For example, using the CALL function in a workbook with the following syntax calls a DLL named Custom.dll containing a procedure named Test with a data type of Signed 4-byte integer:

  =CALL("Custom", "Test", "J!")

Note that the exclamation point (!) makes the formula volatile, recalculating any time the worksheet changes.

In this example, the procedure named Test that is called can perform any type of operation including potentially damaging behavior. The CALL function simply executes this code which resides within the DLL. A custom DLL is not part of Excel nor is it contained in the workbook.

The Call statement is used in a Visual Basic for Applications module sheet to call another macro located in the same workbook or transfer control to an intrinsic function, a dynamic-link library (DLL) procedure, or a procedure in a Macintosh code resource. This form of the Call statement cannot bypass the built-in macro virus protection.

This example illustrates how the Call statement can transfer control to a Sub procedure.

Sub Main Call PrintToDebugWindow("Hello World") ' The above statement causes control to be passed to the ' Sub procedure below. End Sub

Sub PrintToDebugWindow(AnyString) Debug.Print AnyString  ' Print to Debug window. End Sub

Excel displays a warning before running macros, including those containing the Call statement, which allows you to decide whether or not to run them. However, Excel does not generate a warning before executing worksheet functions. Because the CALL function resides on the worksheet and not in a macro or module, you will not receive any warning when the workbook opens. The CALL function will then execute the intended procedure in a DLL or other code resource without warning.

How Does the Patch Work?
After you install the Excel 97 SR-2 CALL Function Update, no prompts or alerts will appear notifying you of the update. Everything will appear and function normally. However, when you use the CALL worksheet function or open a workbook that contains the CALL function, the result will always return the value FALSE. This indicates that the function is disabled and is not functional.

