RE: [Full-Disclosure] FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)

• Previous message: Ferris, Robin: "RE: [Full-Disclosure] FW: Microsoft Security Update"
• Maybe in reply to: Rainer Gerhards: "[Full-Disclosure] FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 4 Sep 2003 11:47:09 +0200

Actually, this was the "dumb me" syndrome. After some research (reading
the fineprint ;)) I figured out that my workstation did not have Office
XP SP2 installed. That does not explain the why office update does not
work (http://office.microsoft.com/productupdate/), but at least I could
install.

OK, so I am guilty of not checking the system requirements. Agreed. Bash
me for this ;) But couldn't the error message be a bit more descriptive?
I wonder how many end users will simply stop at this point. On a test
machine, I also noticed that Office XP SP2 is not cummulative, so you
receive the same cryptic error message if you try to install SP2 but SP1
is not installed. I would suggest that SPs be cummulative in all
cases...

Rainer

> -----Original Message-----
> From: Rainer Gerhards
> Sent: Thursday, September 04, 2003 10:39 AM
> To: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] FW: Microsoft Security Bulletin
> MS03-035: Flaw in Microsoft Word Could Enable Macros to Run
> Automatically(827653)
>
>
> Excellent piece of Microsoft software...
>
> Can't even install it on Word 2002 German on WinXP German. The patch
> says (translated) "did not find the product expected". I then
> tried the
> office update site. That fails with an general error, telling me I
> should review my security settings.
>
> Bottom line: nice patch, but can't install...
>
> Am I now guilty of lazyness if I do not patch?
>
> Anyone else with similar problems?
>
> Rainer Gerhards
>
> > -----Original Message-----
> > From: Microsoft
> > [mailto:0_51912_A303F73D-CBD5-4F48-8040-2B7DCAAAC7DF_DE@Newsle
> > tters.Microsoft.com]
> > Sent: Thursday, September 04, 2003 6:41 AM
> > To: Rainer Gerhards
> > Subject: Microsoft Security Bulletin MS03-035: Flaw in
> > Microsoft Word Could Enable Macros to Run Automatically(827653)
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > -
> -------------------------------------------------------------------
> > Title: Flaw in Microsoft Word Could Enable Macros to Run
> > Automatically (827653)
> > Date: September 3, 2003
> > Software: Microsoft Word 97
> > Microsoft Word 98 (J)
> > Microsoft Word 2000
> > Microsoft Word 2002
> > Microsoft Works Suite 2001
> > Microsoft Works Suite 2002
> > Microsoft Works Suite 2003
> > Impact: Run macros without warning
> > Max Risk: Important
> > Bulletin: MS03-035
> >
> > Microsoft encourages customers to review the Security Bulletins at:
> >
> > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp
> > http://www.microsoft.com/security/security_bulletins/MS03-035.asp
> >
> > -
> -------------------------------------------------------------------
> >
> > Issue:
> > ======
> > A macro is a series of commands and instructions that can be
> > grouped together as a single command to accomplish a task
> > automatically. Microsoft Word supports the use of macros to allow
> > the automation of commonly performed tasks. Since macros are
> > executable code it is possible to misuse them, so Microsoft Word
> > has a security model designed to validate whether a macro should be
> > allowed to execute depending on the level of macro security the
> > user has chosen.
> >
> > A vulnerability exists because it is possible for an attacker to
> > craft a malicious document that will bypass the macro security
> > model. If the document was opened, this flaw could allow a
> > malicious macro embedded in the document to be executed
> > automatically, regardless of the level at which macro security is
> > set. The malicious macro could take the same actions that the user
> > had permissions to carry out, such as adding, changing or deleting
> > data or files, communicating with a web site or formatting the hard
> > drive.
> >
> > The vulnerability could only be exploited by an attacker who
> > persuaded a user to open a malicious document - there is no way for
> > an attacker to force a malicious document to be opened.
> >
> > Mitigating Factors:
> > ====================
> > - The user must open the malicious document for an attacker to be
> > successful. An attacker cannot force the document to be opened
> > automatically.
> >
> > - The vulnerability cannot be exploited automatically through e-
> > mail. A user must open an attachment sent in e-mail for an e-
> > mail borne attack to be successful.
> >
> > - By default, Outlook 2002 block programmatic access to the
> > Address Book. In addition, Outlook 98 and 2000 block
> > programmatic access to the Outlook Address Book if the Outlook
> > Email Security Update has been installed. Customers who use any
> > of these products would not be at risk of propagating an e-mail
> > borne attack that attempted to exploit this vulnerability.
> >
> > - The vulnerability only affects Microsoft Word - other
> members of
> > the Office product family are not affected.
> >
> > Risk Rating:
> > ============
> > -Important
> >
> > Patch Availability:
> > ===================
> > - A patch is available to fix this vulnerability. Please read the
> > Security Bulletins at
> >
> > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp
> > http://www.microsoft.com/security/security_bulletins/MS03-035.asp
> >
> > for information on obtaining this patch.
> >
> > Acknowledgment:
> > ===============
> > - Jim Bassett of Practitioners Publishing Company
> > (http://www.ppcnet.com)
> > -
> -------------------------------------------------------------------
> >
> > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
> > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
> > ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
> > OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
> > EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
> > ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
> > CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
> > MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> > POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
> > OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
> > SO THE FOREGOING LIMITATION MAY NOT APPLY.
> >
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0.2
> >
> > iQEVAwUBP1UvR40ZSRQxA/UrAQE0jwf8Dzm8/NCPSiH+BP7ePKRl66a9rawIDdlu
> > V+52lARZNbRkBNU00U8ImEzilgfIbgj0HZkcb4GpaQLUsPbYSuyiyu9PrKn0i+/j
> > JTaZOg48YJYZzhFOq+drUAMmwMQAkD3xb9fCrSxqET4/K4/55qiJW5uyOlH9RZ3K
> > BS6fhpmrQhOHGRU1gxWDbnRwWZmaqqMCr4WlGJZKZRH3L6kXwEfoH77Xq/v8BiXC
> > y0a6YqMpmA/Jd3Dpx8ByQBMTEfr2eHmMR9WDBowCip4iQ+p/Qorn8q6JpVlm8mhr
> > G+fCshh3bCiniTX5cXt+9B4yVqnpYXHefB0Vt5mfi6/bavgbiqdt4A==
> > =ZJEd
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > *******************************************************************
> >
> > You have received this e-mail bulletin because of your
> > subscription to the Microsoft Product Security Notification
> > Service. For more information on this service, please visit
> > http://www.microsoft.com/technet/security/noti> fy.asp.
> >
> > To
> > verify the digital signature on this bulletin,
> > please download our PGP key at
> > http://www.microsoft.com/technet/security/noti> fy.asp.
> >
> > To
> > unsubscribe from the Microsoft Security
> > Notification Service, please visit the Microsoft Profile
> > Center at http://register.microsoft.com/regsys/pic.asp
> >
> > If you do not wish to use Microsoft Passport, you can
> > unsubscribe from the Microsoft Security Notification Service
> > via email as described below:
> > Reply to this message with the word UNSUBSCRIBE in the Subject line.
> >
> > For security-related information about Microsoft products,
> > please visit the Microsoft Security Advisor web site at
> http://www.microsoft.com/security.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Ferris, Robin: "RE: [Full-Disclosure] FW: Microsoft Security Update"
• Maybe in reply to: Rainer Gerhards: "[Full-Disclosure] FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]