[NT] Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure
From: support@securiteam.comDate: 10/17/02
- Previous message: support@securiteam.com: "[NT] Elevation of Privilege in SQL Server Web Tasks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 17 Oct 2002 03:07:53 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Flaw in Word Fields and Excel External Updates Could Lead to Information
Disclosure
------------------------------------------------------------------------
SUMMARY
Word and Excel provide a mechanism through which data from one document
can be inserted to and updated in another document. This mechanism, known
as field codes in Word and external updates in Excel, can be automated to
reduce the amount of manual effort required by a user. An example of the
use of Word field codes could be the automatic insertion of a standard
disclaimer paragraph in a legal document. An example of the use of
external updates in Excel could be the automatic updating of a chart in
one spread*** using data in a different spread***.
A vulnerability exists because it is possible to maliciously use field
codes and external updates to steal information from a user without the
user being aware. Certain events can trigger field code and external
update to be updated, such as saving a document or by the user manually
updating the links. Normally the user would be aware of these updates
occurring, however a specially crafted field code or external update can
be used to trigger an update without any indication to the user. This
could enable an attacker to create a document that, when opened, would
update itself to include the contents of a file from the user's local
computer.
In order for an attacker to take advantage of this vulnerability, the
attacker would need to perform the following steps:
* Craft a Word or Excel document that exploits the vulnerability
* Deliver it to the user, via email or some other method
* Entice the user to open the document
* Return the document to the attacker. (Microsoft is aware of one case in
which it would not be necessary for the user to do this. There is one
method through which the attacker's document could post information
directly to a web site, but it would only allow the first line of the file
to be sent)
DETAILS
Affected Software:
* Microsoft Word 2002
* Microsoft Word 2000
* Microsoft Word 97
* Microsoft Word 98(J)
* Microsoft Word X for Macintosh
* Microsoft Word 2001 for Macintosh
* Microsoft Word 98 for Macintosh
* Microsoft Excel 2002
Patch availability:
Download locations for this patch
* Microsoft Word 2002:
<http://office.microsoft.com/downloads/2002/wrd1005.aspx>
http://office.microsoft.com/downloads/2002/wrd1005.aspx
Microsoft Word 2000:
<http://office.microsoft.com/downloads/2000/wrd0902.aspx>
http://office.microsoft.com/downloads/2000/wrd0902.aspx
* Word 97/Word 98(J):
Information on receiving Word 97 & Word 98(J) support is available at:
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q330080>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q330080
* Word X for Macintosh:
<http://www.microsoft.com/mac/download/security.asp>
http://www.microsoft.com/mac/download/security.asp
* Word 2001 for Macintosh:
<http://www.microsoft.com/mac/download/security.asp>
http://www.microsoft.com/mac/download/security.asp
* Word 98 for Macintosh:
<http://www.microsoft.com/mac/download/security.asp>
http://www.microsoft.com/mac/download/security.asp
* Excel 2002:
<http://office.microsoft.com/downloads/2002/exc1003.aspx>
http://office.microsoft.com/downloads/2002/exc1003.aspx
Mitigating factors:
* The attacker would need to know the location of the file that he or she
wanted to steal. If the correct filename were not presented, the attack
would fail and an invalid field error message would be present in the
document.
* The user could always view the field codes or external updates. The
field codes or external updates used in the attack can be revealed, as
they are only hidden to prevent cluttering the document when it is being
viewed or edited. A method of checking documents for additional undesired
information is described in the Frequently Asked Questions below.
* Although the attacker could take some steps to obscure the stolen
information, the attacker would leave a clear audit trail. Since the field
codes or external updates can be viewed, even if an attack is successful,
the attacker would leave clear evidence in the document in the form of the
stolen information and the malicious field codes used. This evidence could
be used by law enforcement agencies if required
* The vulnerability would not enable the attacker to delete, modify or
add any files to the user's local system.
* In virtually all circumstances, the attacker would need to entice the
user into returning the document. No information would be revealed unless
the user returned the document to the attacker.
What's the scope of the vulnerability?
This vulnerability could enable an attacker to create a document that
could be used to steal the contents of a document that another user has
access to.
Under virtually all circumstances it would not be possible for an attacker
to exploit the vulnerability without the involvement of the user. In order
for an attacker to take advantage of this vulnerability, the attacker
would have to craft a malicious Word or Excel document, deliver to the
user (via email or other means) and then entice the user to return the
document. Even a successful attack would leave tell-tale evidence that
could aid law enforcement in identifying the attacker.
What products does this affect?
The issue affects all versions of Word including when Word is used as the
e-mail editor by Microsoft Outlook. Excel 2002 is also affected.
What causes the vulnerability?
By design, field codes and external updates can be used to insert data
from other sources into Word documents and Excel spread***. Normally the
user is aware of these updates occurring. However a flaw in the way field
codes and external updates is implemented could make it possible to craft
a malicious field code or external updates that, when the document or
spread*** is opened, will automatically update without the user being
aware
What are field codes and external updates?
Field codes and external updates are ways of automating the insertion of
data in a document. For example, field codes are often used in a Word
document to insert the date or page number automatically. External updates
in Excel are similar, and can be used for example to insert data from one
Excel spread*** into another automatically.
Field codes and external updates typically are hidden from view during
normal document editing, so as not to clutter the user's view. However
they can be revealed and inspected at any time, if necessary. Field codes
and external links cannot be permanently hidden in a document to the
extent that they cannot be revealed later.
What's wrong with the way Word field codes and Excel external updates are
implemented?
By design, field codes and external updates can automatically insert and
update information from external sources, including data files on the
user's system. This is normally legitimate automation on the user's
behalf. However, a flaw exists because this update behavior can be
manipulated so that a hidden field code can carry out an update without
the user being aware. This can be used to insert information from a user's
document into the attacker's document, without the user being aware.
What could this vulnerability enable an attacker to do?
The vulnerability could enable the attacker to steal the contents of a
user's document without the user being aware.
How could an attacker exploit this vulnerability?
There are a number of steps an attacker would have to take in order to
execute a successful attack:
* The attacker would have to craft a special Word or Excel document that
contained specially crafted Word fields or Excel external updates. These
field codes or external updates would need to reference the exact name and
location of the file that the attacker wished to steal.
* The attacker would then have to deliver the document to the user via
email or some other means, and convince the user to open it
* After closing the document, the user would need to return the document
to the attacker. (There is one niche case, discussed below, in which this
would not be necessary)
What's the case in which the user would not have to return the attacker's
document?
There is one limited scenario where an attacker could use a field code to
send data directly to a web site under the attacker's control. Although
this scenario would eliminate the need for the user to return the
attacker's document, it's subject to a significant drawback - it could
only be used to obtain the first line from the user's file
How is Microsoft Outlook affected?
Microsoft Outlook itself is not affected. However, Outlook 2002 uses Word
as its e-mail editor by default. Outlook 2000 and Outlook 97 can be
configured to use Word as their e-mail editor. Microsoft Outlook for
Macintosh does not use Word as its e-mail editor. If Word is being used as
the Outlook e-mail editor, an e-mail message is treated as a document. The
Word patch described in this bulletin corrects this issue whether Word is
used separately or in conjunction with Outlook.
Could this vulnerability be used to forge a digitally signed document?
No, the signature would be invalidated as soon as the maliciously crafted
document was opened. This would be evident from inspecting the digital
signature. Microsoft Knowledge Base article
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q329228> Q329228
discusses how to verify a digital signature in an Office document.
Is there any way of seeing what an attacker might have stolen?
Yes there is. It is important to understand that the contents of the
stolen document do not become invisible. The attacker may choose to
obscure the contents of the stolen document, but the contents will still
be visible if all field codes are revealed and the document is inspected.
The stolen contents cannot be irreversibly hidden.
Field codes and external updates can be exposed by selecting the following
menu options:
* Word 2002, 2000, 97, 98(J): Tools|Options|View then selecting the
"Field Codes" box.
* Word X, 2001 for Macintosh: Edit|Preferences|View then selecting the
"Field Codes" box.
* Word 98 for Macintosh: Tools|Preferences|View then selecting the "Field
Codes" box.
* Excel 2002: Tools|Options|View|Formulas
This evidence, which will always be present, could be used if necessary to
pursue disciplinary or legal action against an attacker.
How can I remove any additional data that is present in a Word or Excel
document?
Microsoft Knowledge Base article
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q223396> Q223396
discusses how to check for and remove additional data from Office
documents.
Can I read my e-mail in Outlook using plain text?
This capability was introduced in Office XP SP1. Microsoft Knowledge Base
article <http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q307594>
Q307594 describes how to do this.
What do the patches do?
The Word patch changes the default behavior in Word to prevent those
fields that insert data from sources external to the current document,
from updating automatically, without direct user interaction to force such
an update for those fields. This puts the user in control of whether the
update is allowed to proceed. The Excel 2002 patch prompts the user in the
one situation where Excel 2002 will not request the user's permission to
refresh external updates.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:0_38958_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Elevation of Privilege in SQL Server Web Tasks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
