XL97: Patch Available for Excel CALL Vulnerability

ID: Q196791

The information in this article applies to:

SUMMARY

Microsoft has released a patch for Microsoft Excel 97 that fixes a vulnerability that could allow certain types of executables to be run without a warning to the user.

This patch includes all of the updates that were released since the last service release of Office, and the files included in this fix may be included in later service releases or patches. For information about the history of Excel 97 patches and releases and what they include, please see the following article in the Microsoft Knowledge Base:

Q232652 XL97: Overview and History of Excel Patches
A legitimate Excel function, CALL, allows executables to be run from a worksheet and could be used to run executables of a malicious nature. A fully supported patch that disables this functionality is available. The patch works by disabling the CALL function on a worksheet, but does not disable the CALL function from within macros. Microsoft recommends that customers who need the CALL worksheet function evaluate the degree of risk that it poses to their systems and determine whether the best course of action is to apply the patch.

The "Excel 97 SR-2 CALL Function Patch" is available at the following Microsoft Office Update Web site:
http://officeupdate.microsoft.com/downloadDetails/xl97cfp.htm
The "Excel 97 SR-2 CALL Function Patch" is designed to update Microsoft Excel 97 Service Release 2 (SR-2). Microsoft does not currently have plans to provide a solution for the CALL vulnerability issue for earlier versions of Microsoft Excel. Because earlier versions of Excel do not provide full macro virus protection, disabling only the CALL worksheet function would not provide a significant level of safety as the CALL function can also be used in a macro.


MORE INFORMATION

CALL is a legitimate, advanced function that calls an outside procedure in a dynamic-link library (DLL) or code resource. The DLL or code resource called could contain code to perform potentially damaging or malicious behavior.

For example, using the CALL function in a workbook with the following syntax calls a DLL named Custom.dll containing a procedure named Test with a data type of Signed 4-byte integer: 


   =CALL("Custom", "Test", "J!")

Note that the exclamation point (!) makes the formula volatile, recalculating any time the worksheet changes.

In this example, the procedure named Test that is called can perform any type of operation including potentially damaging behavior. The CALL function simply executes this code which resides within the DLL. A custom DLL is not part of Excel nor is it contained in the workbook.

The Call statement is used in a Visual Basic for Applications module sheet to call another macro located in the same workbook or transfer control to an intrinsic function, a dynamic-link library (DLL) procedure, or a procedure in a Macintosh code resource. This form of the Call statement cannot bypass the built-in macro virus protection.

This example illustrates how the Call statement can transfer control to a Sub procedure. 

 Sub Main()
    Call PrintToDebugWindow("Hello World")	
    ' The above statement causes control to be passed to the
    ' Sub procedure below.
 End Sub

 Sub PrintToDebugWindow(AnyString)
    Debug.Print AnyString   ' Print to Debug window.
 End Sub

Excel displays a warning before running macros, including those containing the Call statement, which allows you to decide whether or not to run them. However, Excel does not generate a warning before executing worksheet functions. Because the CALL function resides on the worksheet and not in a macro or module, you will not receive any warning when the workbook opens. The CALL function will then execute the intended procedure in a DLL or other code resource without warning.


How Does the Patch Work?

After you install the Excel 97 SR-2 CALL Function Patch, no prompts or alerts will appear notifying you of the patch. Everything will appear and function normally. However, when you use the CALL worksheet function or open a workbook that contains the CALL function, the result will always return the value FALSE. This indicates that the function is disabled and is not functional.

How Can I Determine Whether the Patch Has Been Successfully Installed?

When you run the Excel 97 SR-2 CALL Function Patch, it creates a log file named Xl8p4.log in the same folder that contains Excel. You can open this log file to determine whether you have successfully installed the patch. If installation is successful, the status message in the log file is similar to the following: 

   Microsoft Excel 97 SR-2 CALL Function Patch - Patch RUP 12040001
   Microsoft Excel has been patched successfully.

In addition, you can determine whether you have successfully installed the patch by following these steps:
  1. Use Microsoft Windows Explorer to locate the Excel.exe file.

    The default location for this file is the following folder:

    C:\Program Files\Microsoft Office\Office
    NOTE: If you are running Microsoft Excel 97 from a network server, Excel.exe is located on the network server.


  2. Right-click Excel.exe. On the shortcut menu, click Properties. Click the Version tab.


  3. Note the File Version and compare it to the following table.

    The version that is displayed in the Properties dialog box indicates which version of Microsoft Excel 97 you are currently running. If the version number is 8.0f, you have successfully updated Microsoft Excel 97 SR-2 CALL Function Patch.

    You can also determine which version of Microsoft Excel you have installed by clicking About Microsoft Excel on the Help menu in Microsoft Excel 97, or by checking the value that is returned by Application.Build or Application.Version in a Microsoft Visual Basic for Applications macro.
    
 Excel           Help              File     Application.Build/   Patches/SRs
 version         menu (About)      version  Application.Version  Included
----------------------------------------------------------------------------

 Excel 97 SR-2   Excel 97 SR-2     8.0e     5618 / 8.0e          SR-1,
                                                                 Xl8p1.exe,
                                                                 Xl8p2.exe,
                                                                 Xl8p3.exe

 Excel 97 SR-2   Excel 97 SR-2(f)  8.0f     5619 / 8.0f          All fixes 
 and Xl8p4.exe                                                   in SR-2
    NOTE: Any build/version number for Excel 97 greater than 5619/8.0f also includes this fix.


Updating Excel.exe on Another Computer or Administrative Install


By using setup switches, you can manually expand Xl8p4pkg.exe and force Xl8p4.exe to update a specific copy of Excel.exe; for example, you can update a copy of Excel.exe that is stored on a network server. To do this, follow these steps:
  1. Download Xl8p4pkg.exe and save it on the Windows desktop.


  2. On the Windows Start menu, click Run. Type the following command line
    c:\windows\desktop\xl8p4pkg.exe /t:c:\windows\desktop /c
    and click OK. Then, click Yes.

    The six files that are contained in Xl8p4pkg.exe, including Xl8p4.exe, appear on the Windows desktop.


  3. On the Windows Start menu, click Run. Type the following command line
    c:\windows\desktop\xl8p4.exe /p "path to Excel.exe"
    where path to Excel.exe is the complete path to Excel.exe. You must type the path to Excel.exe in quotation marks; for example, type the following:
    "D:\Office\Excel.exe"
    Then, click OK.

    NOTE: The path cannot exceed 256 characters in length.

    The patch is applied to the specified copy of Excel.exe.


Running the Excel 97 SR-2 CALL Function Patch in Silent Mode

You can run the Excel 97 SR-2 CALL Function Patch in silent mode by using the /s switch when you run Xl8p4.exe. Note that you must run Xl8p4.exe from the command prompt (on the Start menu, click Run) to use these switches.

For example, the following runs the patch in silent mode:
path\xl8p4kg.exe /q /c:"xl8p4.exe /s"
where path is the location of xl8p4.exe.


REFERENCES

For more information about the CALL function, click Contents And Index on the Help menu, click the Index tab in Excel 97 Help, type the following text

Call
and then double-click the selected text to go to the "Call" topic. If you are unable to find the information you need, ask the Office Assistant.

Additional query words: XL97 


Keywords          : kbpatch kbdta 
Version           : WINDOWS:97
Platform          : WINDOWS 
Issue type        : kbhowto

Last Reviewed: June 16, 1999