Alert: Microsoft Security Bulletin - MS02-059

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/17/02 

Date:         Wed, 16 Oct 2002 19:21:19 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-059.asp

Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008)

Originally posted: Oct 16, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Word or Microsoft® Excel.

Impact of vulnerability: Information Disclosure

Maximum Severity Rating: Moderate

Recommendation: Customers using Word or Excel should apply the patches.

Affected Software:
- Microsoft Word 2002
- Microsoft Word 2000
- Microsoft Word 97
- Microsoft Word 98(J)
- Microsoft Word X for Macintosh
- Microsoft Word 2001 for Macintosh
- Microsoft Word 98 for Macintosh
- Microsoft Excel 2002

Technical description:

Word and Excel provide a mechanism through which data from one document can be inserted to and updated in another document. This mechanism, known as field codes in Word and external updates in Excel, can be automated to reduce the amount of manual effort required by a user. An example of the use of Word field codes could be the automatic insertion of a standard disclaimer paragraph in a legal document. An example of the use of external updates in Excel could be the automatic updating of a chart in one spread*** using data in a different spread***.

A vulnerability exists because it is possible to maliciously use field codes and external updates to steal information from a user without the user being aware. Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring, however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user's local computer.

In order for an attacker to take advantage of this vulnerability, the attacker would need to perform the following steps:
- Craft a Word or Excel document that exploits the vulnerability
- Deliver it to the user, via email or some other method
- Entice the user to open the document
- Return the document to the attacker. (Microsoft is aware of one case in which it would not be necessary for the user to do this. There is one method through which the attacker's document could post information directly to a web site, but it would only allow the first line of the file to be sent)

Mitigating factors:
- The attacker would need to know the location of the file that he or she wanted to steal. If the correct filename were not presented, the attack would fail and an invalid field error message would be present in the document.
- The user could always view the field codes or external updates. The field codes or external updates used in the attack can be revealed, as they are only hidden to prevent cluttering the document when it is being viewed or edited. A method of checking documents for additional undesired information is described in the Frequently Asked Questions below.
- Although the attacker could take some steps to obscure the stolen information, the attacker would leave a clear audit trail. Since the field codes or external updates can be viewed, even if an attack is successful, the attacker would leave clear evidence in the document in the form of the stolen information and the malicious field codes used. This evidence could be used by law enforcement agencies if required
- The vulnerability would not enable the attacker to delete, modify or add any files to the user's local system.
- In virtually all circumstances, the attacker would need to entice the user into returning the document. No information would be revealed unless the user returned the document to the attacker.

Vulnerability identifier: CAN-2002-1143

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor