__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft IE and Office for Macintosh Vulnerabilities
[Microsoft Security Bulletin MS02-019]
April 18, 2002 18:00 GMT Number M-068
______________________________________________________________________________
PROBLEM: Two vulnerabilities have been identified by Microsoft: 1) A
buffer overflow exists with the handling of a particular HTML
element and 2) a vulnerability exists that allows local
AppleScripts to be invoke by a web page.
PLATFORM: Microsoft Internet Explorer 5.1 for Macintosh OS X
Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9
Microsoft Outlook Express 5.0.-5.0.3 for Macintosh
Microsoft Entourage v. X for Macintosh
Microsoft Entourage 2001 for Macintosh
Microsoft PowerPoint v. X for Macintosh
Microsoft PowerPoint 2001 for Macintosh
Microsoft PowerPoint 98 for Macintosh
Microsoft Excel v. X for Macintosh
Microsoft Excel 2001 for Macintosh
DAMAGE: 1) A successful attack would have the result of causing the
program to fail, or to cause code of the attacker's choice to
run as if it were the user.
2) The AppleScripts would run as if they had been launched by
the user, and could take the same actions as any AppleScript
legitimately launched by the user.
SOLUTION: Apply the patch supplied by vendor.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. 1) A successful attack using an HTML web
ASSESSMENT: page would require the attacker to lure the user to visiting a
site under their control. A successful attack using HTML email
would require specific knowledge of the user's mail client and
cannot be mounted against PC users. 2) A successful attack
requires that the attacker know the full path and file name of
any AppleScript they want to invoke.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-068.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-019.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-019 *****]
Microsoft Security Bulletin MS02-019
Unchecked Buffer in Internet Explorer and Office for Mac Can Cause
Code to Execute (Q321309)
Originally posted: April 16, 2002
Summary
Who should read this bulletin: All users of Microsoft® Internet Explorer
and Office for the Macintosh®
Impact of vulnerability: Run code of attacker's choice.
Maximum Severity Rating: Critical
Recommendation: Customers running Internet Explorer and Office for
Macintosh should apply the patches.
Affected Software:
Microsoft Internet Explorer 5.1 for Macintosh OS X
Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9
Microsoft Outlook Express 5.0.-5.0.3 for Macintosh
Microsoft Entourage v. X for Macintosh
Microsoft Entourage 2001 for Macintosh
Microsoft PowerPoint v. X for Macintosh
Microsoft PowerPoint 2001 for Macintosh
Microsoft PowerPoint 98 for Macintosh
Microsoft Excel v. X for Macintosh
Microsoft Excel 2001 for Macintosh
Technical details
Technical description:
This is a cumulative patch that, when applied, eliminates all previously
released security vulnerabilities affecting IE 5.1 for Macintosh, and
Office v. X for Macintosh. In addition, it eliminates two newly discovered
vulnerabilities.
The first is a buffer overrun vulnerability associated with the handling
of a particular HTML element. Because of support for HTML in Office
applications, this flaw affects both IE and Office for Macintosh. A security
vulnerability results because an attacker can levy a buffer overrun attack
against IE that attempts to exploit this flaw. A successful attack would
have the result of causing the program to fail, or to cause code of the
attacker's choice to run as if it were the user.
The second is a vulnerability that can allow local AppleScripts to be
invoked by a web page. This vulnerability can allow locally stored
AppleScripts to be invoked automatically without first calling the
Helper application. The AppleScripts would run as if they had been
launched by the user, and could take the same actions as any AppleScript
legitimately launched by the user. The AppleScript would have to already
be present on the system; there is no way for an attacker to deliver an
AppleScript of her choosing through this vulnerability.
Mitigating factors:
Unchecked Buffer in HTML Element:
Successfully exploiting this issue with Office files requires that a
user accept files from an unknown or untrusted source. Users should
never accept files unknown or untrusted sources. Accepting files only
from trusted sources can prevent attempts to exploit this issue.
A successful attack using HTML email would require specific knowledge
of the user's mail client and cannot be mounted against PC users.
A successful attack using an HTML web page would require the attacker
to lure the user to visiting a site under her control. Users who exercise
caution in their browsing habits can potentially protect themselves from
attempts to exploit this vulnerability.
On operating systems that enforce security on per-user basis, such as
Mac OS X, the specific actions that an attacker's code can take would be
limited to those allowed by the privileges of the user's account.
Local AppleScript Invocation:
The vulnerability only affects IE on Mac OS 8 & 9.
A successful attack requires that the attacker know the full path and
file name of any AppleScript they want to invoke.
The vulnerability provides no means to deliver an AppleScript of the
attacker's construction: it can only invoke AppleScripts already present
on the user's system.
Severity Rating:
Unchecked Buffer in HTML Element:
Internet Servers Intranet Servers Client Systems
Microsoft Internet Explorer
5.1 for Macintosh OS X None None Critical
Microsoft Internet Explorer
5.1 for Macintosh OS 8 & 9 None None Critical
Microsoft Outlook Express
5.0.2 for Macintosh None None Critical
Microsoft Entourage v. X
for Macintosh None None Critical
Microsoft Entourage 2001
for Macintosh None None Critical
Microsoft PowerPoint v. X
for Macintosh None None Low
Microsoft PowerPoint 2001
for Macintosh None None Low
Microsoft PowerPoint 98
for Macintosh None None Low
Microsoft Excel v. X
for Macintosh None None Low
Microsoft Excel 2001
for Macintosh None None Low
Local AppleScript Invocation:
Internet Servers Intranet Servers Client Systems
Microsoft Internet Explorer
5.1 for Macintosh OS X None None None
Microsoft Internet Explorer
5.1 for Macintosh OS 8 & 9 None None Moderate
Microsoft Outlook Express
5.0.2 for Macintosh None None None
Microsoft Entourage v. X
for Macintosh None None None
Microsoft Entourage 2001
for Macintosh None None None
Microsoft PowerPoint v. X
for Macintosh None None None
Microsoft PowerPoint 2001
for Macintosh None None None
Microsoft PowerPoint 98
for Macintosh None None None
Microsoft Excel v. X
for Macintosh None None None
Microsoft Excel 2001
for Macintosh None None None
Aggregate severity of all vulnerabilities eliminated by patch:
Internet Servers Intranet Servers Client Systems
Microsoft Internet Explorer
5.1 for Macintosh OS X None None Critical
Microsoft Internet Explorer 5.1
for Macintosh OS 8 & 9 None None Critical
Microsoft Outlook Express 5.0.2
for Macintosh None None Critical
Microsoft Entourage v. X
for Macintosh None None Critical
Microsoft Entourage 2001
for Macintosh None None Critical
Microsoft PowerPoint v. X
for Macintosh None None Low
Microsoft PowerPoint 2001
for Macintosh None None Low
Microsoft PowerPoint 98
for Macintosh None None Low
Microsoft Excel v. X
for Macintosh None None Low
Microsoft Excel 2001
for Macintosh None None Low
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them. The unchecked buffer in
HTML Element vulnerability could be remotely exploited through HTML email.
On Office, the HTML Element issues does not qualify as a vulnerability,
because exploiting the issue requires that users accept and open files
from untrusted sources. The AppleScript local invocation requires detailed
knowledge regarding the naming and configuration of the machine in order
to be exploitable. In addition, the severity rating includes the aggregate
ratings for issues eliminated by previous patches that are contained in
this patch.
Vulnerability identifier:
Unchecked Buffer in HTML Element:CAN-2002-0152
Local AppleScript Invocation:CAN-2002-0153
Tested Versions:
Microsoft tested Internet Explorer 5.1 for Macintosh, Outlook Express 5.0.2,
and Office v. X, 2001 and 98 to assess whether they are affected by this
vulnerability. Previous versions are no longer supported, and may or may
not be affected by these vulnerabilities.
Patch availability
Download locations for this patch
Microsoft IE 5.1 for Mac OSX: Users must use the Software Update feature of
Mac OS X v10.1 to install the "Internet Explorer 5.1 Security Update."
More information on Software Update is available at:
http://www.apple.com/macosx/upgrade/softwareupdates.html.
All other products: http://www.microsoft.com/mac/download
Microsoft PowerPoint 98 for Macintosh:
Patch is under development and will be available shortly. When this happens,
we will re-release this bulletin with information on how to obtain and
install these patches.
Additional information about this patch
Installation platforms:
Microsoft Internet Explorer 5.1 for Macintosh OS X:
This patch can be installed on systems running Mac OS X v. 10.1.
Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9:
This patch can be installed on systems running Mac OS 8 & 9.
Microsoft Outlook Express 5.0.4 for Macintosh:
This patch can be installed on systems running Mac OS 8 & 9.
Microsoft Entourage v. X for Macintosh:
This patch can be installed on systems running Microsoft Office v. X for Mac.
Microsoft Entourage 2001 for Macintosh:
This patch can be installed on systems running Microsoft Office 2001 for
Mac OS 8 & 9.
Microsoft PowerPoint v. X for Macintosh:
This patch can be installed on systems running Microsoft Office v. X for Mac.
Microsoft PowerPoint 2001 for Macintosh:
This patch can be installed on systems running Microsoft Office 2001 for
Mac OS 8 & 9.
Microsoft PowerPoint 98 for Macintosh:
This patch can be installed on systems running Microsoft Office 98 Gold for
Mac OS 8 & 9.
Microsoft Excel v. X for Macintosh:
This patch can be installed on systems running Microsoft Office v. X for Mac.
Microsoft Excel 2001 for Macintosh:
This patch can be installed on systems running Microsoft Office 2001 for
Mac OS 8 & 9.
Reboot needed:
No
Superseded patches:
The Internet Explorer 5.1 for Macintosh OS X patch supersedes MS01-053.
The Microsoft Office X patches supersede MS02-002.
Verifying patch installation:
Microsoft Internet Explorer 5.1 for Macintosh OS X:
To verify that the patch has been installed on the machine, confirm that
the version number of Internet Explorer is now 5.1.4.
This can be done by choosing "About Internet Explorer" from the "Explorer"
menu and confirming the version number is "5.1.4 (4405)"
Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9:
To verify that the patch has been installed on the machine, confirm that
the version number of Internet Explorer is now 5.1.4.
This can be done by choosing "About Internet Explorer" from the "Explorer"
menu and confirming the version number is "5.1.4 "
Microsoft Outlook Express 5.0.4 for Macintosh:
Inside the Outlook Express folder, select:
Outlook Express
Select the file in the Finder, From the File menu, choose "Show Info",
and verify that the version shown is "5.0.4".
Microsoft Entourage v. X, Microsoft PowerPoint v. X, Microsoft Excel v. X
for Macintosh:
Inside the Microsoft Office X:Office folder, select:
Microsoft Office X
Select the file in the Finder, From the File menu, choose "Show Info", and
verify that the version shown is "10.0.3 (1412)".
Microsoft Entourage 2001, Microsoft PowerPoint 2001, Microsoft Excel 2001,
Microsoft Word 2001 for Macintosh:
Inside the Microsoft Office 2001:Office folder, select:
Microsoft Internet Library
Select the file in the Finder, From the File menu, choose "Get Info", and
verify that the description shown is "Microsoft Office 2001 SP2".
Caveats:
None
Localization:
Localized versions of this patch are under development and will be available
at the Macintosh download site referenced above.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can be
most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a
redistributable form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks Josha Bronson of AngryPacket Security and w00w00 for
reporting this issue to us and working with us to protect customers.
Support:
Microsoft Knowledge Base article Q321309 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation or
its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (April 16, 2002): Bulletin Created.
[***** End Microsoft Security Bulletin MS02-019 *****
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-059: Red Hat "groff" Vulnerability
M-060: JRE Bytecode Verifier Vulnerability
M-061: HP VVOS Web proxy Vulnerability
M-062: Double Free Bug in zlib Compression Library
M-063: Microsoft Internet Explorer Vulnerabilities
CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
M-064: Cisco web interface vulnerabilities in ACS for Windows
M-065: Red Hat Race Conditions in "logwatch"
M-066: Microsoft Cumulative Patch for Internet Information Services (IIS) Vulnerabilities
M-067: SGI Mail, mailx, sort, timed, and gzip Vulnerabilities
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
