For those of you not on the MS Security bulletin list... This affects MS Office XP, but is corrected in the SP2 patch at the office updater ( http://office.microsoft.com/productupdates ). Cordially, Steven Fredette President http://www.prowebsites.net Indianapolis, Indiana. USA (-5 GMT/UT) "For Your Internet Wants and Needs" Since 1997 Free Web design tutorials at: http://www.prowebsites.net/frontpagehelp -----Original Message----- From: Microsoft [mailto:0_35529_4EA7AE2D-C959-D111-9D3F-0000F84121EB_US@xxxxxxxxxxxxxxxx osoft.com] Sent: Wednesday, August 21, 2002 17:31 To: prowebsites@xxxxxxxxxxxxxxx Subject: Microsoft Security Bulletin MS02-044 : Unsafe Functions in Office Web Components (Q328130) -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Unsafe Functions in Office Web Components (Q328130) Date: 21 August 2002 Software: Office Web Components, Office, BackOffice Server, BizTalk Server, Commerce Server, ISA Server, Money, Microsoft Project, Microsoft Project Server Small Business Server Impact: Three vulnerabilities, the most serious of which could allow an attacker to run commands on the user's system. Max Risk: Critical Bulletin: MS02-044 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-044.asp. - ---------------------------------------------------------------------- Issue: ====== The Office Web Components (OWC) contain several ActiveX controls that give users limited functionality of Microsoft Office in a web browser without requiring that the user install the full Microsoft Office application. This allows users to utilize Microsoft Office applications in situations where installation of the full application is infeasible or undesirable. The control contains three security vulnerabilities, each of which could be exploited either via a web site or an HTML mail. The vulnerabilities result because of implementation errors in the following methods and functions the controls expose: - Host(). This function, by design, provides the caller with access to applications' object models on the user's system. By using the Host() function, an attacker could, for instance, open an Office application on the user's system and invoke commands there that would execute operating system commands as the user. - LoadText(). This method allows a web page to load text into a browser window. The method does check that the source of the text is in the same domain as the window, and in theory should restrict the page to only loading text that it hosts itself. However, it is possible to circumvent this restriction by specifying a text source located within the web page's domain, and then setting up a server-side redirect of that text to a file on the user's system. This would provide an attacker with a way to read any desired file on the user's system. - Copy()/Paste(). These methods allow text to be copied and pasted. A security vulnerability results because the method does not respect the "disallow paste via script" security setting in IE. Thus, even if this setting had been selected, a web page could continue to access the copy buffer, and read any text that the user had copied or cut from within other applications. The patch does not set "kill bit" on the control, for reasons discussed in the FAQ. Mitigating Factors: ==================== Overall: - In the case of the web-based attack, an attacker would need to force a user to visit the attacker's Web site. Users who exercise caution in visiting web sites could minimize their risk. - In the web based attack, If ActiveX controls have been disabled in the zone in which the page were viewed, the vulnerability could not be exploited. Users who place untrusted sites in the Restricted Sites zone, which disables ActiveX by default, or have disabled ActiveX controls in the Internet zone could minimize their risk. - In the case of HTML email based attacks, customers who read email in the Restricted Sites zone would be protected against attempts to exploit this vulnerability. Customers using Outlook 2002 and Outlook Express 6.0, as well as Outlook 2000 and Outlook 98 customers who have applied the Outlook Email Security Update would thus be protected by default. Also, Outlook Express 5.0 customers who have chosen to read mail in the Restricted Sites zone would be protected by default. - In the HTML email based attack, Outlook 2002 customers who have enabled the "Read as Plain Text" option available in SP1 or later would also be protected. Host() Vulnerability: - The attacker's code would be limited by restrictions on the user's account. Users of non-privileged accounts would limit the potential damage from a successful attack. LoadText(): - The attacker would need to know the full path and name of the file. In addition the file would have to be viewable in a web browser. Copy()/Paste(): - The vulnerability could enable an attacker to access only to information in the Windows clipboard. The information in the clipboard is unpredictable and this vulnerability gives no means for an attacker to target and retrieve specific information. Further, it is possible for the clipboard to be empty, which would yield an attacker nothing. - The security setting in question is not enabled by default. Thus, the vulnerability does not present a threat to the default installation. Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-044.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPWQCJY0ZSRQxA/UrAQFpQgf/b6ZAeKBalHWcYe23OwlytG8EyV61G5WM alse7ecupinAyF7r6VRu4k88lONvGkQR8KrRVrm9rLcx5wxkMpPs5vgqSmtO0aQy 9w0l4YXU0EWkP3qFl2FhxiC3r9QVfmBxeV4pmQvHRs0B/NL2bxsVarUxxPoVMP18 6UJoigEi0ykmVqezhQukxKjgRLAxhy/t3d0nWLbWTN6uEVgXXW6Sk3JP1EyUf10m pQUCf+T8ZtKpkNutRsGwVgR7z1Iva6soXjbCymDmD6rZ7uwb04K3bZgc04fAHmv3 BJY9+xV/upFz5Qy5szdMXHiSPBXeZ7XNmmjRKNLGPn3VGQnZ4JTz5w== =XDjy -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Send an email to unsubscribe to the Service by following these steps: a. Send an e-mail to securrem@xxxxxxxxxxxxxx The subject line and the message body are not used to process the subscription request, and can be anything you like. b. Send the e-mail. c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply. d. You will receive an e-mail telling you that your name has been removed from the subscriber list. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. ************************************************************* You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx or MicrosoftOffice@xxxxxxxxxxxxxxxx To send mail to the group, simply address it to mso@xxxxxxxxxxxxx To Unsubscribe from this group, send an email to mso-request@xxxxxxxxxxxxx?Subject=unsubscribe Or, visit the group's homepage and use the dropdown menu. This will also allow you to change your email settings to digest or vacation (no mail). //www.freelists.org/webpage/mso To be able to use the files section for sharing files with the group, send a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation with instructions. Once you are a member of the files group, you can go here to upload/download files: http://www.smartgroups.com/vault/msofiles *************************************************************