[NT] Cumulative Patches for Excel and Word for Windows
From: support@securiteam.comDate: 06/20/02
- Previous message: support@securiteam.com: "[NT] BlackICE Agent Temporary Memory Buildup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 20 Jun 2002 08:08:56 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cumulative Patches for Excel and Word for Windows
------------------------------------------------------------------------
SUMMARY
This is a set of cumulative patches that, when applied, applies all
previously released fixes for these products.
In addition, these patches eliminate four newly discovered vulnerabilities
all of which could enable an attacker to run Macro code on a user's
machine. The attacker's macro code could take any actions on the system
that the user was able to.
* An Excel macro execution vulnerability that relates to how inline
macros that are associated with objects are handled. This vulnerability
could enable macros to execute and bypass the Macro Security Model when
the user clicked on an object in a workbook.
* An Excel macro execution vulnerability that relates to how macros are
handled in workbooks when those workbooks are opened via a hyperlink on a
drawing shape. It is possible for macros in a workbook so invoked to run
automatically.
* An HTML script execution vulnerability that can occur when an Excel
workbook with an XSL Stylesheet that contains HTML scripting is opened.
The script within the XSL stylesheet could be run in the local computer
zone.
* A new variant of the "Word Mail Merge" vulnerability first addressed in
MS00-071. This new variant could enable an attacker's macro code to run
automatically if the user had Microsoft Access present on the system and
chose to open a mail merge document that had been saved in HTML format.
DETAILS
Affected Software:
* Microsoft Excel 2000 for Windows
* Microsoft Office 2000 for Windows
* Microsoft Excel 2002 for Windows
* Microsoft Word 2002 for Windows
* Microsoft Office XP for Windows
Mitigating factors:
Excel Inline Macros Vulnerability:
* A successful attack exploiting this vulnerability would require that
the user accept and open a workbook from an attacker and then click on an
object within the workbook.
Hyperlinked Excel Workbook Macro Bypass:
* A successful attempt to exploit this vulnerability would require that
the user accept and open an attacker's workbook and click on a drawing
shape with a hyperlink.
* An attacker's destination workbook would have to be accessible to the
user, either on the local system on an accessible network location.
Excel XSL Stylesheet Script Execution:
* A user would have to accept and open an attacker's workbook to exploit
this vulnerability.
In addition, the user would have to acknowledge a security warning by
selecting the non-default option.
Variant of MS00-071, Word Mail Merge Vulnerability:
* The Word mail merge document would have to be saved in HTML format. As
Word is not the default handler for HTML applications, the user would have
to choose to open the document in Word, or acknowledge a security warning.
* A successful attack requires that Access be installed locally.
* The attacker's data source has to be accessible to the user across a
network.
Patch availability:
Download locations for this patch
* Office Product Updates site:
<http://office.microsoft.com/productupdates/default.aspx>
http://office.microsoft.com/productupdates/default.aspx
* Microsoft Excel 2000 for Windows:
* Client Installation:
<http://office.microsoft.com/downloads/2000/exc0901.aspx>
http://office.microsoft.com/downloads/2000/exc0901.aspx
* Administrative Installation:
<http://www.microsoft.com/office/ork/xp/journ/exc0901a.htm>
http://www.microsoft.com/office/ork/xp/journ/exc0901a.htm
* Microsoft Excel 2002 for Windows:
* Client Installation:
<http://office.microsoft.com/downloads/2002/exc1002.aspx>
http://office.microsoft.com/downloads/2002/exc1002.aspx
* Administrative Installation:
<http://www.microsoft.com/office/ork/xp/journ/exc1002a.htm>
http://www.microsoft.com/office/ork/xp/journ/exc1002a.htm
* Microsoft Word 2002:
* Client Installation:
<http://office.microsoft.com/downloads/2002/wrd1004.aspx>
http://office.microsoft.com/downloads/2002/wrd1004.aspx
* Administrative Installation:
<http://www.microsoft.com/office/ork/xp/journ/wrd1004a.htm>
http://www.microsoft.com/office/ork/xp/journ/wrd1004a.htm
What vulnerabilities are eliminated by this patch?
This is a cumulative patch that, when applied, address all previously
addressed vulnerabilities. In addition, it eliminates four new
vulnerabilities:
* A macro execution vulnerability in Excel that results from a flaw in
how Excel handles inline Macros.
* A macro execution vulnerability in Excel that results from a flaw in
how macros in external workbooks are handled when opened by a hyperlink on
a drawing shape within a workbook.
* A script execution vulnerability related to how Excel processes
workbooks that contain XSL style
* A variant of the "Word Mail Merge" vulnerability first addressed in
MS00-071.
Excel Inline Macros Vulnerability:
What is the scope of the first vulnerability?
This vulnerability could enable an attacker to cause macros contained
within an Excel workbook to execute outside of the constraints of the
macro security settings. Because macros by design can take any action that
a user can take, this vulnerability has the net effect of enabling an
attacker to take the same actions on the system that the user is capable
of including adding, changing or deleting data, communicating with web
sites, or changing security settings, including the macro security
settings.
An attacker could not automate an attack using this vulnerability: the
user would have to be enticed into taking an action after opening the
attacker's workbook. In addition, any constraints that limit the user's
actions would also inhibit the attacker's macros.
What causes the vulnerability?
The vulnerability results because of a flaw in how Excel handles specially
formatted inline macros that are attached to objects within a workbook.
It's possible to assign a macro to an object in such a way that the Macro
Security Model fails to correctly recognize it as a macro. As a
consequence, when the object is activated and the macro is called, the
Macro Security Model is bypassed, and the macro runs with no security
restrictions.
In addition to the cells that are usually associated with a spreadsheet,
Excel provides support for objects within workbooks. There are many
objects that Excel makes available, but some commonly known objects
include drawing objects, such as charts and graphs, command buttons, and
menu buttons, among others.
These objects make available a variety of functions and capabilities,
based on their type, but in general they help expand the capabilities of
Excel from being a simple spreadsheet program to a full fledged
application development environment.
What are inline macros?
To support the expanded functionality that objects provide, one of the
capabilities that all objects in Excel support is the ability to assign a
macro to an object. This macro can then provide any code-based
functionality to the object that the user or developer wants to add.
For example, suppose that a user has developed a spreadsheet for
calculating mortgage rates and the user wants to be able to recalculate
rates. The user can add a command button to the spreadsheet and then
assign a macro that performs the desired calculations to that object. The
user can then click on the command button to run the macro assigned to it
and thus recalculate the mortgage rates.
By design, macros that are assigned to an object can be stored in a macro
code module. However, in the case of this vulnerability it can be entered
directly into the object's properties. In this case the macro is referred
to as an "inline macro" because the macro code is actually stored inline
with the object's properties.
What is the Office Macro Security Model?
Macros are, in essence, small programs. As with programs, it is possible
for malicious users to create hostile macros that seek to cause harm or
disruption to the system by taking actions such as deleting files,
changing security settings, or altering data in files. To help protect
against hostile macros, members of the Office family support a Macro
Security Model that helps users ensure that only safe, authorized macros
are run while unsafe, untrusted macros are disabled.
What's wrong with how Excel handles inline macros attached to objects?
There is a flaw in how the Macro Security Model detects the presences of
inline macros within Excel objects. Specifically, the Macro Security Model
fails to correctly detect the macro.
What could this vulnerability enable an attacker to do?
Because the flaw causes the Macro Security Model to fail to detect the
presence of a macro, this flaw can provide a means by which an attacker
could bypass the Macro Security Model entirely. As a result, the attacker
could make macro code run that would otherwise be disabled.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by crafting an Excel
workbook and inserting an object into the workbook. The attacker would
then assign an inline macro to the object. The attacker would have to
entice the user to open the malicious workbook and then activate the
object by clicking on it. However, the attacker could take steps to
obscure the object in such a way that the user may not recognize the
presence of an object and inadvertently activate the object simply by
clicking on the spreadsheet itself.
What does the patch do?
The patch eliminates the vulnerability by disabling all inline macros in
the Medium and High security settings.
Does this mean that inline macros are still enabled in the Low Security
Setting?
Yes. However, the Low security setting provides no protections against
hostile macros. As a result, in this security setting, there is no
vulnerability, since no protections are bypassed.
Hyperlinked Excel Workbook Macro Bypass:
What's the scope of the second vulnerability?
This is an Excel macro execution vulnerability. An attacker who was able
to successfully exploit this vulnerability could cause macros contained
within an Excel workbook to execute outside of the constraints of the
macro security settings.
An attacker could not automate an attack using this vulnerability: the
user would have to be enticed into taking an action after opening the
attacker's workbook. In addition, any constraints that limit the user's
actions would also inhibit the attacker's macros.
What causes the vulnerability?
The vulnerability results because of a flaw in how Excel macros in a
workbook are handled when that workbook is opened through a hyperlink that
is associated with a drawing shape in another workbook.
When the destination workbook is opened, the Macro Security Model does not
detect the presence of macros in the target workbook. As a result, any
autoexecute macros in the destination workbook would run as soon as that
workbook was opened, without any security constraints.
What are drawing shapes?
As noted above, Excel provides a number of different objects that can be
inserted into workbooks. One particular type of object that Excel supports
are drawing shapes. Drawing shapes are graphical objects such as circles,
squares, rectangles, or freeform shapes that can be inserted into a
workbook.
How do drawing shapes support hyperlinks?
In the same way that objects support macros as an assigned property, they
also support hyperlinks. This means that a drawing shape can be made into
a hyperlink that will take action when the shape is activated.
For example, suppose a user has created a circle on a page in a workbook
and they want users to be able to bring up a web site's home page by
clicking on that shape. The user can set the hyperlink property of the
shape to the web page in question. When user then clicks on the shape, the
hyperlink is invoked and the web page opened.
Because hyperlinks can point to any file type, hyperlinks can also be used
to point to Excel workbooks. Using the example above, it's also possible
to have a circle point to an Excel workbook. When the user would click on
the shape with the hyperlink, the destination workbook would be opened.
What's wrong with how Excel handles workbooks that are opened through a
hyperlink associated with a drawing shape?
In this particular sequence of events, Excel fails to properly invoke the
Macro Security Model when the destination workbook is opened. As a result,
the Macro Security Model is bypassed entirely allowing any autoexecute
macros to run automatically, with no warning.
It's important to note that this flaw occurs only in conjunction with this
sequence of events.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run macro code when the
user thought that code would be blocked by the Macro Security Model.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating two
workbooks, a source workbook and a destination workbook. The attacker
would create a hyperlink on a shape in the source workbook that points to
the destination workbook. In the destination workbook, the attacker could
create an autoexecute macro. The attacker would then have to ensure that
the destination workbook was accessible to the user in some way, by giving
it to the user or posting on a network share or a web site.
The attacker would then have to send the source workbook to the intended
victim and entice the victim to open the workbook, and click on the
hyperlinked shape. As long as the destination workbook was accessible, the
destination workbook would be opened, and the macro code would execute.
What does the patch do?
The patch eliminates the vulnerability by ensuring that the Macro Security
Model is invoked when a workbook is opened through a hyperlink associated
with a drawing shape.
Excel XSL Stylesheet Script Execution:
What's the scope of the third vulnerability?
This vulnerability could enable an attacker to cause HTML scripts to
execute as if they were run locally on the user's system. The scripts
could take any action that the user was capable of, including adding,
changing or deleting files or changing security settings.
An attacker seeking to exploit this vulnerability would have to convince
the intended target to open a file. There is no way to mount an automated
attack against this vulnerability; in all cases there is user interaction
required to mount a successful attack.
Any limitations on a user's ability to make changes to the system would
also limit the attacker's script. For example, if a user were prohibited
from deleting information on the local system, the attacker's script would
be similarly restricted.
What causes the vulnerability?
The vulnerability results because of a flaw in how XSL Stylesheets within
Excel workbooks are handled under the Macros Security Model. The Macro
Security Model fails to correctly detect the presence of HTML scripting
when contained within an Excel workbook that contains an XSL stylesheet.
What is XSL?
XSL (eXtensible Stylesheet Language) is a language that provides a means
to sort and manipulate XML data. It can be thought of as a query language
for XML data. For example, suppose you have customer data in XML format
that is ordered by last name and you want to sort it by customer ID. You
would use XSL to define the sorting rule for this data.
What is an XSL stylesheet?
Where XSL is the language that is used for manipulating XML data, an XSL
stylesheet is what actually contains the XSL. An XSL stylesheet therefore
is a document that contains instructions in XSL. This file then can be
"applied" by any application that supports XSL.
What is XML?
XML (Extensible Markup Language) is an industry-standard format for
storing data that facilitates data transfer across the Internet. XML
provides a common means for structuring data so that multiple applications
can recognize it. Using the example above, XML can be used to structure
customer data and meta-data so that any application that supports XML
could correctly identify the structure of the data, such as the customer
ID and last name, and the data itself.
What's wrong with how XSL stylesheets are handled within Excel?
There is a flaw in how the Macro Security Model handles script within XSL
Stylesheets that are contained in an Excel workbook. Specifically, it
fails to correctly detect the presence of script and block its execution.
What could this vulnerability enable an attacker to do?
This vulnerability could allow an attacker to run HTML scripts on the
local system as if the user had elected to run them. This means that the
script would run in the Local Computer zone. Since the Local Computer zone
is intended for scripts run directly by the user, scripts run in this zone
can take actions similar to those that a user can take directly. For
example, a script in the local computer zone could add, change, or delete
the same files that a user could.
Conversely, any restrictions on the user's ability to make changes to the
local system would also limit that attacker's script. This means that if a
user were prevented from changing a file due to permissions on the local
file system, the attacker's script would be similarly prevented from
making changes.
How could an attacker exploit this vulnerability?
An attacker would most likely seek to exploit this vulnerability by
creating an Excel workbook that has an XSL stylesheet that contains HTML
script within it. The attacker would have to entice the user to accept the
file by either offering it for download or sending it as an attachment in
email. When the user opened the file, a prompt would be raised asking if
he wanted to apply the XSL stylesheet. The user would have to agree to
apply the stylesheet by clicking "yes", which is not the default. At that
point, the stylesheet would be applied and the attacker's script would
run. Alternately, if the file were set to autorefresh its query, the XSL
could be updated and the script runs after the refresh.
Is there any way for an attacker to mount an automated attack using this
vulnerability?
No. In all cases, attempts to exploit this vulnerability would require
user interaction. There is no way for an attacker to automate an attack
against this vulnerability.
What does the patch do?
The patch eliminates the vulnerability by ensuring that the Macros
Security Model is applied when Excel opens workbooks that contain XSL
stylesheets. The specific result of applying the patch will depend on the
security setting of the Macro Security Model.
Variant of MS00-071, Word Mail Merge Vulnerability:
What's the scope of the fourth vulnerability?
This vulnerability is a new variant of the "Word Mail Merge" vulnerability
first discussed in Microsoft Security Bulletin MS00-071 This vulnerability
could allow an attacker to run code on a user's system.
What is the "Word Mail Merge" Vulnerability?
In a nutshell, this is a vulnerability that could enable an attacker to
run VBA Code in Access unexpectedly when the user opens a Mail Merge
document in Word. In the case of this particular variant, however, the
Mail Merge document needs to be saved in HTML format.
Where can I get more information on the "Word Mail Merge" vulnerability?
Microsoft Security Bulletin MS00-071 discusses this vulnerability in
detail.
Are there any differences between this variant and the original issue?
Unlike the original issue, this variant requires that the Word document in
question be saved in HTML format and that the document then be opened in
Word.
In addition, the mitigating factors for this variant are different from
the original issue. If the HTML document were opened in anything other
than Word, the attempt to exploit the vulnerability would fail. In
addition, a successful attack requires that Access be installed on the
user's system. If Access is not installed, the attack would fail.
What causes the vulnerability?
The vulnerability results because the original fix for this issue fails to
correctly differentiate a remote Access data source when the Word Mail
Merge document is an HTML document. As a result, remote data sources are
treated in an identical manner as local data sources.
If this variant requires that the Word document is in HTML format, can an
attacker mount an automated attack from a web page or HTML email?
No. In all cases, the user must first choose to open the document using
Word, either by acknowledging a file download dialogue box, or by choosing
to open Word manually. There is no way for an attacker to levy an
automated attack against this vulnerability.
How does the patch eliminate this vulnerability?
The patch eliminates the vulnerability by ensuring that Word correctly
differentiates between remote and local data sources and handles them in a
manner commensurate with their location.
Does this patch eliminate the original issue as well as the new one?
Yes. It eliminates all known variants.
ADDITIONAL INFORMATION
The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] BlackICE Agent Temporary Memory Buildup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
