Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Excel and PowerPoint Macro Vulnerability
October 8, 2001 20:00 GMT Number M-004
______________________________________________________________________________
PROBLEM: Excel and PowerPoint macros can be written to avoid detection
by the macro security process. This vulnerability is the same as
one that Microsoft published earlier for Word.
PLATFORM: Microsoft Excel 98 for Macintosh
Microsoft Excel 2000 for Windows
Microsoft Excel 2001 for Macintosh
Microsoft Excel 2002 for Windows
Microsoft PowerPoint 98 for Macintosh
Microsoft PowerPoint 2000 for Windows
Microsoft PowerPoint 2001 for Macintosh
Microsoft PowerPoint 2002 for Windows
DAMAGE: Excel and PowerPoint may allow a specially formed document with
macro code to run arbitrary malicious code without prior
warning to the user.
SOLUTION: Patch or upgrade as directed in the bulletin.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. Circumvented macro security processes may
ASSESSMENT: allow malicious macro code to run without prior warning.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-004.shtml
ORIGINAL BULLETINS:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/bulletin/MS01-050.asp (Excel and PowerPoint)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/bulletin/MS01-034.asp (Word)
PATCHES: Microsoft Excel 2000 for Windows:
http://download.microsoft.com/download/excel2000/e2kmac/1/w98nt42kme/en-
us/e2kmac.exe
Microsoft Excel 2002 for Windows:
http://download.microsoft.com/download/excel2002/exc1001/1/w98nt42kme/en-
us/exc1001.exe Microsoft Excel 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft Excel 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
Microsoft PowerPoint 2000 for Windows:
http://download.microsoft.com/download/powerpoint2000/p2kmac/1/w98nt42kme/en-
us/p2kmac.exe Microsoft PowerPoint 2002 for Windows:
http://download.microsoft.com/download/powerpoint2002/ppt1001/1/w98nt42kme/en-
us/ppt1001.exe Microsoft PowerPoint 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
______________________________________________________________________________
[****** Start Advisory ******]
Microsoft Security Bulletin MS01-050
Malformed Excel or PowerPoint Document Can Bypass Macro Security
Originally posted: October 04, 2001
Summary
Who should read this bulletin: Customers using Microsoft(r) Excel or PowerPoint
for Windows(r) or Macintosh(r)
Impact of vulnerability: Run code of attacker's choice.
Recommendation: Customers using affected versions of Excel and/or PowerPoint
should apply the patch immediately.
Affected Software:
Microsoft Excel 2000 for Windows
Microsoft Excel 2002 for Windows
Microsoft Excel 98 for Macintosh
Microsoft Excel 2001 for Macintosh
Microsoft PowerPoint 2000 for Windows
Microsoft PowerPoint 2002 for Windows
Microsoft PowerPoint 98 for Macintosh
Microsoft PowerPoint 2001 for Macintosh
Technical details
Technical description:
Excel and PowerPoint have a macro security framework that controls the execution
of macros and prevents macros from running automatically. Under this framework,
any time a user opens a document the document is scanned for the presence of
macros. If a document contains macros, the user is notified and asked if he
wants to run the macros or the macros are disabled entirely, depending on the
security setting. A flaw exists in the way macros are detected that can allow a
malicious user to bypass macro checking.
A malicious attacker could attempt to exploit this vulnerability by crafting a
specially formed Excel or PowerPoint document with macro code that would run
automatically when the user opened it. The attacker could carry out this attack
by hosting the malicious file on a web site, a file share, or by sending it
through email.
Mitigating factors:
The macro code could not execute without the user's first opening the document.
Vulnerability identifier: CAN-2001-0718
Tested Versions:
Microsoft tested the following products to assess whether they are affected by
these vulnerabilities. Previous versions are no longer supported, and may or may
not be affected by these vulnerabilities.
Office 98 for Macintosh
Office 2001 for Macintosh
Office 2000 for Windows
Office 2002 for Windows
Frequently asked questions
What's the scope of the vulnerability?
This vulnerability could enable a malicious user to create specially formed
Excel or PowerPoint files that would bypass macro security and execute
automatically when the document is opened. Because macros by design can take any
action that the user is able to take, this vulnerability could allow an attacker
to take actions such as changing or deleting data, communicating with web sites,
or changing the macro security settings.
This would not be able to take any actions that the user is not normally capable
of. As such, access controls that limit the user's abilities would also limit
the ability of the malicious documents. Further, a successful attack would
require that the user open the malicious document. Best practices recommend that
users not open documents from unknown or untrusted sources.
What causes the vulnerability?
The vulnerability results because the macro detecting framework can fail to
detect all instances in which the macro processor can execute macro commands.
When a valid document is intentionally designed to obfuscate the presence of
macros, it is still possible for those marcos to execute.
What are macros?
Macros are small programs within applications such as Excel and PowerPoint. When
macros run, they can take actions within the application or the operating system
as if they were the user. An example of a simple action a macro might take in an
application would be to find and replace text within a document. A more
sophisticated macro might include features that perform automatic formatting on
a document, copy files from the local system to the network, and send review
copies by email.
Because macros are really small programs, it is possible for attackers to create
malicious macros that take undesirable actions, such as deleting files, sending
unwanted messages by email, or changing the data in documents. To help protect
against malicious macros, Excel and PowerPoint have a security model that
prevent macros from executing without warning.
What's wrong with the macro protection in Excel and PowerPoint?
It is possible for a malicious user to create a specially malformed Excel or
PowerPoint document that would bypass the macro protections and allow macros to
execute automatically.
Is it possible to create a document like this by accident?
No. It is not possible to create a document that bypasses macro protection by
accident. It would require very specific, detailed knowledge and such a document
would have to be specifically constructed with malicious intent.
What could an attacker use this vulnerability to do?
This could allow an attacker to craft a malicious document with macro code that
would run automatically when the user opened the document.
What actions could the malicious document take?
Because macros take action on behalf of the user, a macro virus that ran would
be able to take actions that the user himself is able to take, including
changing or deleting files, sending data to external web sites, or reformatting
the hard drive.
It's important to highlight that this means that it is possible for a macro
virus to reset the user's security settings. A successful macro virus attack
could leave a system vulnerable to future attack by disabling the security
settings.
How would an attacker carry out an attack against this vulnerability?
An attacker could carry out an attack by several different routes. She could
host a malicious document on a web site internally or on the Internet. She could
place a malicious document on any file server to which she had appropriate
permissions. Additionally, she could target specific individuals by sending a
copy through email.
It's important to note that all attempts to carry out an attack require the
potential victim to open the document. It is not possible to exploit this
vulnerability without the user's action. Opening documents only from known,
trusted sources will help to protect against an attempt to maliciously exploit
this vulnerability.
What does the patch do?
The patch eliminates the vulnerability by improving the code which detects the
presence of macros in these document types.
Who should apply the patch?
Anyone using or administering systems running the affected software versions
should apply the patch
I'm running Excel 97 and/or PowerPoint 97, does this issue affect me?
First, it's important to understand that Excel and PowerPoint 97 do not have the
same macro security framework as Excel and PowerPoint 2000 and 2002. The Excel
and PowerPoint 97 macro security framework lacks many key features that the 2000
and 2002 macro security framework has, including a digital signature trust model
that allows trusted, signed macros to be differentiated from untrusted, unsigned
macros. Under this older framework, it is difficult for a user to make an
informed decision regarding the trustworthiness of macros.
In addition, as noted under "Tested Versions", Excel and PowerPoint 97 are no
longer supported products.
Because of these two issues, customers who are concerned about macro security
are urged to upgrade to a support version with a more robust macro security
model.
Are other members of the Office Suite vulnerable?
No. All members of the Office Suites for Windows and Macintosh were tested. No
other products in the Office Suite were found to be vulnerable.
Patch availability
Download locations for this patch
Microsoft Excel 2000 for Windows:
http://download.microsoft.com/download/excel2000/e2kmac/1/w98nt42kme/en-
us/e2kmac.exe
Microsoft Excel 2002 for Windows:
http://download.microsoft.com/download/excel2002/exc1001/1/w98nt42kme/en-
us/exc1001.exe
Microsoft Excel 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft Excel 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
Microsoft PowerPoint 2000 for Windows:
http://download.microsoft.com/download/powerpoint2000/p2kmac/1/w98nt42kme/en-
us/p2kmac.exe
Microsoft PowerPoint 2002 for Windows:
http://download.microsoft.com/download/powerpoint2002/ppt1001/1/w98nt42kme/en-
us/ppt1001.exe
Microsoft PowerPoint 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft PowerPoint 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
Additional information about this patch
Installation platforms:
These patches can be installed on systems running Excel or PowerPoint 2000 SR-1
or SP2 for Windows and systems running Excel or PowerPoint 98 or 2001 for
Macintosh.
Inclusion in future service packs:
The fix for this issue will be included in Office XP Service Pack 1.
Reboot needed:No
Superseded patches: None.
Verifying patch installation:
Microsoft Excel 2000 for Windows:
Select the Help menu, and choose "About", and verify that the version shown in
the dialogue is 9.0.5519.
Microsoft Excel 2002 for Windows:
Select the Help menu, and choose "About", and verify that the version shown in
the dialogue is 10.3207.2625.
Microsoft PowerPoint 2000 for Windows:
Select the Help menu, and choose "About", and verify that the version shown in
the dialogue is 9.0.5519.
Microsoft PowerPoint 2002 for Windows:
Select the Help menu, and choose "About", and verify that the version shown in
the dialogue is 10.3207.2625.
Microsoft Excel and PowerPoint 98 for Macintosh:
Select the file in the Finder, From the File menu, choose "Get Info", and verify
that the version shown is 9.0.1 (3618).
Microsoft Excel and PowerPoint 2001 for Macintosh:
Select the file in the Finder, From the File menu, choose "Get Info", and verify
that the description shown is "2001 Security Update".
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in
"Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can be
most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a redistributable
form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks Peter Ferrie of Symantec Security Response
(http://securityresponse.symantec.com) for reporting this issue to us and
working with us to protect customers.
Support:
Microsoft Knowledge Base articles Q306603, Q306604, Q306605, Q306606 discuss
these issues and will be available approximately 24 hours after the release of
this bulletin. Knowledge Base articles can be found on the Microsoft Online
Support web site.
Technical support is available from Microsoft Product Support Services. There is
no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either express
or implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Microsoft Corporation or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
V1.0 (October 04, 2001): Bulletin Created.
[****** End Advisory ******]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-138: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability
L-139: Microsoft IIS "%u encoding IDS bypass vulnerability"
L-140: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability
L-141: RSA BSAFE SSL-J 3.x Vulnerability
L-142: RPC Endpoint Mapper Vulnerability
L-143: HP libsecurity Vulnerability
L-144: The W32.nimda Worm
M-001: Cisco Secure IDS Signature Obfuscation Vulnerability
M-002: Multi-Vendor format String Vulnerability in ToolTalk Service
M-003: Hewlett-Packard rpcbind Security Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
