CERT Advisory CA-2001-28

From: CERT Advisory (cert-advisory@cert.org)
Date: 10/08/01

Date: Mon, 8 Oct 2001 15:41:38 -0400 (EDT)
Message-Id: <CA-2001-28.1@cert.org>
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-2001-28


CERT Advisory CA-2001-28 Automatic Execution of Macros

   Original release date: October 08, 2001
   Last revised: -- Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Systems running:
     * Windows
          + Microsoft Excel 2000
          + Microsoft Excel 2002
          + Microsoft PowerPoint 2000
          + Microsoft PowerPoint 2002
     * Macintosh
          + Microsoft Excel 98
          + Microsoft Excel 2001
          + Microsoft PowerPoint 98
          + Microsoft PowerPoint 2001


   An intruder can include a specially crafted macro in a Microsoft
   Excel or PowerPoint document that can avoid detection and run
   automatically regardless of the security settings specified by the

I. Description

   Microsoft Excel and PowerPoint scan documents when they are opened
   and check for the existence of macros. If the document contains
   macros, the user running Excel or PowerPoint is alerted and asked
   if he would like the macros to be run. However, Microsoft Excel and
   PowerPoint may not detect malformed macros, so a user can
   unknowingly run macros containing malicious code when opening an
   Excel or PowerPoint document.

   An intruder who can entice or deceive a victim into opening a
   document using a vulnerable version of Excel or PowerPoint could
   take any action the victim could take, including, but not limited

     * reading, deleting, or modifying data, either locally or on open
       file shares
     * modifying security settings (including macro virus protection
     * sending electronic mail
     * posting data to or retrieving data from web sites

   For more information, please see


   Given the strong potential for widespread abuse of this
   vulnerability, we strongly recommend that you apply patches as soon
   as you are able. For example, the Melissa virus which spread in
   March of 1999 used social engineering to convince victims to
   execute a macro embedded in a Microsoft Word document. For more
   information, see the CERT/CC Advisory listed below.


   As a general practice, everyone should be aware of the potential
   damage that Trojan horses and other kinds of malicious code can
   cause to any platform. For more information, see


   This vulnerability has been assigned the identifier CAN-2001-0718
   by the Common Vulnerabilities and Exposures (CVE) group:


II. Impact

   An attacker can execute arbitrary code on the target system with
   the privileges of the victim running Excel or PowerPoint.

III. Solution

Apply a patch

   Appendix A contains information from vendors who have provided
   information for this advisory. We will update the appendix as we
   receive more information. If a vendor's name does not appear, then
   the CERT/CC did not hear from that vendor. Please contact your
   vendor directly.

   Until a patch can be applied, and as a general practice, we
   recommend using caution when opening attachments. However, it is
   important to note that relying on the "From" line in an electronic
   mail message is not sufficient to authenticate the origin of the

Appendix A. - Vendor Information

   This appendix contains information provided by vendors for this
   advisory. When vendors report new information to the CERT/CC, we
   update this section and note the changes in our revision
   history. If a particular vendor is not listed below, we have not
   received their comments.

Microsoft Corporation

   See Microsoft Security Bulletin MS01-050

Appendix B. - References

    1. http://securityresponse.symantec.com/avcenter/security/Content/200
    2. http://www.microsoft.com/technet/treeview/default.asp?url=/technet
    3. http://www.kb.cert.org/vuls/id/287067
    4. http://www.cert.org/advisories/CA-1999-04.html
    5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718

   The CERT Coordination Center thanks Peter Ferrie and Symantec
   Security Response, who discovered this vulnerability and published
   the information in their advisory. Additionally, we thank
   Microsoft Corporation, who published an advisory on this issue.

   Author: Ian A. Finlay and Shawn V. Hernan.

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by
   email. Our public PGP key is available from


   If you prefer to use DES, please call the CERT hotline for more

Getting security information

   CERT publications and other security information are available from
   our web site


   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of
   your message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.


   Any material furnished by Carnegie Mellon University and the
   Software Engineering Institute is furnished on an "as is"
   basis. Carnegie Mellon University makes no warranties of any kind,
   either expressed or implied as to any matter including, but not
   limited to, warranty of fitness for a particular purpose or
   merchantability, exclusivity or results obtained from use of the
   material. Carnegie Mellon University does not make any warranty of
   any kind with respect to freedom from patent, trademark, or
   copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
   October 8, 2001: initial release

Version: PGP 6.5.8


Relevant Pages

  • CERT Advisory CA-2001-25
    ... Subject: CERT Advisory CA-2001-25 ... in Gauntlet Firewall by PGP Security. ... Please contact your vendor directly. ...
  • CERT Advisory CA-2001-25
    ... Subject: CERT Advisory CA-2001-25 ... in Gauntlet Firewall by PGP Security. ... Please contact your vendor directly. ...
  • RE: Whose X do I need to X to get on CERT?
    ... I was extremely impressed with their responsiveness and we had our ... Whose X do I need to X to get on CERT? ... When CERT's recent SNMP advisory came out ... On its major advisories CERT advertises a "Vendor Information" ...
  • CERT Advisory CA-2001-28
    ... Subject: CERT Advisory CA-2001-28 ... Microsoft Excel and PowerPoint scan documents when they are opened ... the CERT/CC did not hear from that vendor. ... The CERT Coordination Center thanks Peter Ferrie and Symantec ...
  • [NEWS] Wonderware SuiteLink Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vendor Information, Solutions and Workarounds ... Core sends the advisory draft to Wonderware support team. ...