IE and .xla may lead to problems

Georgi Guninski security advisory #57, 2002

IE and .xla leads to problems

Systems affected:
Office XP + IE 6.0 + Win2K (probably others)

Risk: High
Date: 31 July 2002

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi
Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or
distribute parts
of it without the author's written
permission.
If you want to link to this content use the
URL:
http://www.guninski.com/iexla.html
Anything in this document may change without
notice.

Disclaimer:
The information in this advisory is believed
to be true though
it may be false.
The opinions expressed in this advisory and
program are my own and
not of any company. The usual standard
disclaimer applies,
especially the fact that Georgi Guninski is
not liable for any damages
caused by direct or  indirect use of the
information or functionality
provided by this advisory or program. Georgi
Guninski bears no
responsibility for content or misuse of this
advisory or program or
any derivatives thereof.

Description:

If an IE user visits specially designed web
page, the page may create
almost arbitrary files on his computer. This
may lead to executing arbitrary
programs on the user's computer.

Details:

This isn't quite new issue, but the
involvement of IE in it makes it worth
noting. [1] (from March 2002) Describes a
problems with ms spreadsheet
compononent [2] and in its Host() function
which may be exploited to create
 a file.
Microsoft tried to produce a partial patch on
the issue, but the problem isn't
solved yet. It is still possible to create a
.xls or .xla file which writes
files with the help of OWC. The .xla file may
be just .html file with .xla
 extension.
Note: the html formating of [1] is broken, so
newlines should
be dealt with.

Another interesting problem is [3] from 2000.
The key point in it is that
IE may invoke Excel with <object
data="file.xla"></object>. Though not
visible, Excel executes "file.xla", which may
contain tricks from
[1], so OWC does SaveAs().

So the ActiveX strange scheme is like this:
IE -> Excel -> OWC -> Excel ->
SaveAs().


Workaround/Solution:

In IE disable "Run ActiveX controls and
plugins"
Have not tested this personally but probably
works:
Deregister and delete the ms office
spreadsheet component and/or all the
OWC. This may be done from:
ControlPanel -  Add/Remove programs - Office
- Change (then look for OWC)

Vendor status:

Microsoft was notified several days ago -
they have opened a case on this
report.

References
(available from www.guninski.com and public
lists):
[1] Georgi Guninski security advisory #53,
2002 -
 More Office XP problems - Version 3.0 -  31
March 2002
[2] The spreadsheet component from OWC is
well documented on the office cds.
[3] Georgi Guninski security advisory #13,
2000
IE 5 and Excel 2000, PowerPoint 2000
vulnerability - executing programs

Regards,
Georgi Guninski
http://www.guninski.com