[Full-Disclosure] Flaw in Microsoft Word Could Enable Macros toRun Automatically (827653)
From: Irwan Hadi (irwanhadi_at_phxby.com)
Date: 09/03/03
- Previous message: noconflic: "Webcalendar <= 0.9.42 Cross Site Scripting Attacks and Potential SQL Injection Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Wed, 3 Sep 2003 14:09:39 -0600
Just Released today
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-035.asp
Microsoft Security Bulletin MS03-035 Print
Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653)
Originally posted: September 03, 2003
Summary
Who should read this bulletin: Customers who are using Microsoft® Word
Impact of vulnerability: Run macros without warning
Maximum Severity Rating: Important
Recommendation: Customers who are using affected versions of Microsoft
Word should apply the security patch immediately.
End User Bulletin:
An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-035.asp.
Affected Software:
Microsoft Word 97
Microsoft Word 98 (J)
Microsoft Word 2000
Microsoft Word 2002
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Technical details
Technical description:
A macro is a series of commands and instructions that can be grouped
together as a single command to accomplish a task automatically.
Microsoft Word supports the use of macros to allow the automation of
commonly performed tasks. Since macros are executable code it is
possible to misuse them, so Microsoft Word has a security model designed
to validate whether a macro should be allowed to execute depending on
the level of macro security the user has chosen.
A vulnerability exists because it is possible for an attacker to craft a
malicious document that will bypass the macro security model. If the
document was opened, this flaw could allow a malicious macro embedded in
the document to be executed automatically, regardless of the level at
which macro security is set. The malicious macro could take the same
actions that the user had permissions to carry out, such as adding,
changing or deleting data or files, communicating with a web site or
formatting the hard drive.
The vulnerability could only be exploited by an attacker who persuaded a
user to open a malicious document .there is no way for an attacker to
force a malicious document to be opened.
Mitigating factors:
The user must open the malicious document for an attacker to be
successful. An attacker cannot force the document to be opened
automatically.
The vulnerability cannot be exploited automatically through e-mail. A
user must open an attachment sent in e-mail for an e-mail borne attack
to be successful.
By default, Outlook 2002 block programmatic access to the Address Book.
In addition, Outlook 98 and 2000 block programmatic access to the
Outlook Address Book if the Outlook Email Security Update has been
installed. Customers who use any of these products would not be at risk
of propagating an e-mail borne attack that attempted to exploit this
vulnerability.
The vulnerability only affects Microsoft Word . other members of the
Office product family are not affected.
Severity Rating: Microsoft Word (all versions) Important
Microsoft Works Suite (all versions) Important
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0664
Tested Versions:
Microsoft tested Microsoft Word 2002, Microsoft Word 2000, Microsoft
Word 98(J), Microsoft Word 97, Microsoft Word X for Macintosh, Microsoft
Word 2001 for Macintosh, Microsoft Word 98 for Macintosh, Microsoft
Works Suite 2003, Microsoft Works Suite 2002 and Microsoft Works Suite
2001 to assess whether they are affected by this vulnerability. Previous
versions are no longer supported and may or may not be affected by this
vulnerability.
Frequently asked questions
What.s the scope of the vulnerability?
This vulnerability could enable an attacker to create a document that,
when opened in Microsoft Word, could allow an unsigned macro to run
regardless of the macro security level. Macros can take any action that
the user can take, and as a result this vulnerability could allow an
attacker to take actions such as changing data, communicating with Web
sites, reformatting the hard disk, or changing the Word security
settings. The vulnerability only affects Word.other members of the
Office product family are not affected.
What causes the vulnerability?
The vulnerability results because Word incorrectly checks properties in
a modified document, causing it to not prompt the user with a macro
security warning when macros are present in the document.
What.s a macro?
Generally, the term macro refers to a small program that automates
frequently-performed tasks in an operating system or in a program. For
example, all members of the Office family of products support the use of
macros. This allows companies to develop macros that perform as
sophisticated productivity tools that run in Word, in Excel, or in other
programs.
Like any computer program, macros can be misused. Many viruses are
written as macros and are embedded in Office documents. To combat this
threat, Office has a security model that is designed to make sure that
macros can only run when the user wants them to run. In this case,
however, there is a flaw in the security model, which can be exploited
when a user opens a malformed document.
What's wrong with the way Microsoft Word checks macro security?
There is a flaw in the way that Word assesses macro security when a
document is opened that could allow the macro security checks to be
bypassed under certain circumstances.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to create a malicious
document that could allow a macro to run automatically, if an attacker
persuaded a user to open the specially-crafted document. This could
allow an attacker to take any action on the system that the user can
take, including adding, changing, or deleting data, running other
programs, or formatting the hard disk.
What could the macro do?
The macro could take any action that the user can take. This would
include adding, changing, or deleting files, communicating with a Web
site, reformatting the hard disk, and so forth.
A macro also could change the user.s macro security level. This could
include disabling macro protection. As a result, if the user were
attacked by means of this vulnerability, the user.s macro security level
could be reduced and other macros that would otherwise be stopped by
Word could be allowed to run.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a
specially-crafted Word document that contained a malicious macro. The
attacker could then send it to a user, typically through an e-mail
message, and then persuade the user to open the document. An attacker
could also host the specially-crafted Word document on a network share
or on a Web site; however, the attacker would still need to persuade the
user to open the document.
Microsoft Works Suite is listed as a vulnerable product . why?
Microsoft Works Suite includes Microsoft Word. Microsoft Works users
should use Office Update at:
http://www.office.microsoft.com/ProductUpdates/default.aspx to detect
and to install the appropriate patch.
What does the patch do?
This patch eliminates the vulnerability by making sure that Word carries
out the appropriate macro security checks when it opens a document.
Patch availability
Download locations for this patch
Microsoft Word 2002:
http://microsoft.com/downloads/details.aspx?FamilyId=7D3775FC-F424-4B04-ABEB-9B4CA1EB182D&displaylang=en
Administrative update only:
http://www.microsoft.com/office/ork/xp/journ/wrd1006a.htm
Microsoft Word 2000:
http://microsoft.com/downloads/details.aspx?FamilyId=4A8F6ACE-E14E-4978-A9C9-6989CD03A4A3&displaylang=en
Administrative update only:
http://www.microsoft.com/office/ork/xp/journ/wrd0903a.htm
Microsoft Word 97/Microsoft Word 98(J):
Information on receiving Microsoft Word 97 & Microsoft Word 98(J)
support is available at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;827647
Microsoft recommends users visit Office Update at
http://www.office.microsoft.com/ProductUpdates/default.aspx to detect
and install this security patch and all other public updates to Office
family products (note: Office Update does not support Office 97 or Visio
2000).
Additional information about this patch
Installation platforms:
The Word 2002 patch can be installed on systems that are running Word
2002 with Office XP Service Pack 2, and on systems that are running
Microsoft Works Suite 2003 or Microsoft Works Suite 2002. The
administrative update can also be installed on systems that are running
Office XP Service Pack 1.
The Word 2000 patch can be installed on systems that are running Word
2000 with Office 2000 Service Pack 3 and Microsoft Works 2001.
For information about Microsoft Word 97 and Microsoft Word 98(J)
support, see the following the following Microsoft Knowledge Base
article: http://support.microsoft.com/default.aspx?scid=kb;en-us;827647
Inclusion in future service packs:
The fix for this issue will be included in future service packs for the
affected products.
Reboot needed: No
Patch can be uninstalled: No
Superseded patches: None.
Verifying patch installation:
Word 2002: Verify that the version number of WinWord.exe is 10.0.5522.0.
Word 2000: Verify that the version number of WinWord.exe is
9.00.00.7924.
Word 97 and Word 98(J): Information about checking Microsoft Word 97 and
Microsoft Word 98(J) is available in Microsoft Knowledge Base article
827647.
Works Suite 2002 and Works Suite 2003: Verify that the version number of
WinWord.exe is 10.0.5522.0.
Works Suite 2001: Verify that the version number of WinWord.exe is
9.00.00.7924.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations
discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and
can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web
site
Other information:
Acknowledgments
Microsoft thanks Jim Bassett of Practitioners Publishing Company for
reporting this issue to us and working with us to protect customers.
Support:
Microsoft Knowledge Base article 827653 discusses this issue. Knowledge
Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall Microsoft
Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.
Revisions:
V1.0 (September 03, 2003): Bulletin Created.
Contact Us | E-mail this Page | TechNet Newsletter
© 2003 Microsoft Corporation. All rights reserved. Terms of Use
Privacy Statement Accessibility
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: noconflic: "Webcalendar <= 0.9.42 Cross Site Scripting Attacks and Potential SQL Injection Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
