[office2000] SECURITY ALERT: Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure
- From: "Jim Kenzig http://thethin.net" <jimkenz@xxxxxxxxxxxxxx>
- To: <MSOFFICE@xxxxxxxxxxxxx>
- Date: Mon, 21 Oct 2002 18:22:00 -0400
Microsoft Security Bulletin MS02-059 Print
Flaw in Word Fields and Excel External Updates Could Lead to Information
Disclosure (Q330008)
Originally posted: Oct 16, 2002
Summary
Who should read this bulletin: Customers using Microsoft® Word or Microsoft®
Excel.
Impact of vulnerability: Information Disclosure
Maximum Severity Rating: Moderate
Recommendation: Customers using Word or Excel should apply the patches.
Affected Software:
Microsoft Word 2002
Microsoft Word 2000
Microsoft Word 97
Microsoft Word 98(J)
Microsoft Word X for Macintosh
Microsoft Word 2001 for Macintosh
Microsoft Word 98 for Macintosh
Microsoft Excel 2002
Technical details
Technical description:
Word and Excel provide a mechanism through which data from one document can
be inserted to and updated in another document. This mechanism, known as
field codes in Word and external updates in Excel, can be automated to
reduce the amount of manual effort required by a user. An example of the use
of Word field codes could be the automatic insertion of a standard
disclaimer paragraph in a legal document. An example of the use of external
updates in Excel could be the automatic updating of a chart in one
spreadsheet using data in a different spreadsheet.
A vulnerability exists because it is possible to maliciously use field codes
and external updates to steal information from a user without the user being
aware. Certain events can trigger field code and external update to be
updated, such as saving a document or by the user manually updating the
links. Normally the user would be aware of these updates occurring, however
a specially crafted field code or external update can be used to trigger an
update without any indication to the user. This could enable an attacker to
create a document that, when opened, would update itself to include the
contents of a file from the user?s local computer.
In order for an attacker to take advantage of this vulnerability, the
attacker would need to perform the following steps:
Craft a Word or Excel document that exploits the vulnerability
Deliver it to the user, via email or some other method
Entice the user to open the document
Return the document to the attacker. (Microsoft is aware of one case in
which it would not be necessary for the user to do this. There is one method
through which the attacker?s document could post information directly to a
web site, but it would only allow the first line of the file to be sent)
Mitigating factors:
The attacker would need to know the location of the file that he or she
wanted to steal. If the correct filename were not presented, the attack
would fail and an invalid field error message would be present in the
document.
The user could always view the field codes or external updates. The field
codes or external updates used in the attack can be revealed, as they are
only hidden to prevent cluttering the document when it is being viewed or
edited. A method of checking documents for additional undesired information
is described in the Frequently Asked Questions below.
Although the attacker could take some steps to obscure the stolen
information, the attacker would leave a clear audit trail. Since the field
codes or external updates can be viewed, even if an attack is successful,
the attacker would leave clear evidence in the document in the form of the
stolen information and the malicious field codes used. This evidence could
be used by law enforcement agencies if required
The vulnerability would not enable the attacker to delete, modify or add any
files to the user?s local system.
In virtually all circumstances, the attacker would need to entice the user
into returning the document. No information would be revealed unless the
user returned the document to the attacker.
Severity Rating: Internet Servers Intranet Servers Client Systems
Word (all versions) None None Moderate
Excel 2002 None None Moderate
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2002-1143
Tested Versions:
Microsoft tested Word 2002, Word 2000, Word 98(J), Word 97, Word X for
Macintosh, Word 2001 for Macintosh, Word 98 for Macintosh, Excel 2002, Excel
2000, Excel 97, Excel X for Macintosh, Excel 2001 for Macintosh and Excel 98
for Macintosh to assess whether they are affected by these vulnerabilities.
Previous versions are no longer supported, and may or may not be affected by
these vulnerabilities.
Frequently asked questions
What?s the scope of the vulnerability?
This vulnerability could enable an attacker to create a document that could
be used to steal the contents of a document that another user has access to.
Under virtually all circumstances it would not be possible for an attacker
to exploit the vulnerability without the involvement of the user. In order
for an attacker to take advantage of this vulnerability, the attacker would
have to craft a malicious Word or Excel document, deliver to the user (via
email or other means) and then entice the user to return the document. Even
a successful attack would leave tell-tale evidence that could aid law
enforcement in identifying the attacker.
What products does this affect?
The issue affects all versions of Word including when Word is used as the
e-mail editor by Microsoft Outlook. Excel 2002 is also affected.
What causes the vulnerability?
By design, field codes and external updates can be used to insert data from
other sources into Word documents and Excel spreadsheet. Normally the user
is aware of these updates occurring. However a flaw in the way field codes
and external updates is implemented could make it possible to craft a
malicious field code or external updates that, when the document or
spreadsheet is opened, will automatically update without the user being
aware
What are field codes and external updates?
Field codes and external updates are ways of automating the insertion of
data in a document. For example, field codes are often used in a Word
document to insert the date or page number automatically. External updates
in Excel are similar, and can be used for example to insert data from one
Excel spreadsheet into another automatically.
Field codes and external updates typically are hidden from view during
normal document editing, so as not to clutter the user?s view. However they
can be revealed and inspected at any time, if necessary. Field codes and
external links cannot be permanently hidden in a document to the extent that
they cannot be revealed later.
What's wrong with the way Word field codes and Excel external updates are
implemented?
By design, field codes and external updates can automatically insert and
update information from external sources, including data files on the user?s
system. This is normally legitimate automation on the user?s behalf.
However, a flaw exists because this update behavior can be manipulated so
that a hidden field code can carry out an update without the user being
aware. This can be used to insert information from a user?s document into
the attacker?s document, without the user being aware.
What could this vulnerability enable an attacker to do?
The vulnerability could enable the attacker to steal the contents of a user?
s document without the user being aware
How could an attacker exploit this vulnerability?
There are a number of steps an attacker would have to take in order to
execute a successful attack:
The attacker would have to craft a special Word or Excel document that
contained specially crafted Word fields or Excel external updates. These
field codes or external updates would need to reference the exact name and
location of the file that the attacker wished to steal.
The attacker would then have to deliver the document to the user via email
or some other means, and convince the user to open it
After closing the document, the user would need to return the document to
the attacker. (There is one niche case, discussed below, in which this would
not be necessary)
What?s the case in which the user would not have to return the attacker?s
document?
There is one limited scenario where an attacker could use a field code to
send data directly to a web site under the attacker?s control. Although this
scenario would eliminate the need for the user to return the attacker?s
document, it?s subject to a significant drawback ? it could only be used to
obtain the first line from the user?s file
How is Microsoft Outlook affected?
Microsoft Outlook itself is not affected. However, Outlook 2002 uses Word as
its e-mail editor by default. Outlook 2000 and Outlook 97 can be configured
to use Word as their e-mail editor. Microsoft Outlook for Macintosh does not
use Word as its e-mail editor. If Word is being used as the Outlook e-mail
editor, an e-mail message is treated as a document. The Word patch described
in this bulletin corrects this issue whether Word is used separately or in
conjunction with Outlook.
Could this vulnerability be used to forge a digitally signed document?
No, the signature would be invalidated as soon as the maliciously crafted
document was opened. This would be evident from inspecting the digital
signature. Microsoft Knowledge Base article Q329228 discusses how to verify
a digital signature in an Office document.
Is there any way of seeing what an attacker might have stolen?
Yes there is. It is important to understand that the contents of the stolen
document do not become invisible. The attacker may choose to obscure the
contents of the stolen document, but the contents will still be visible if
all field codes are revealed and the document is inspected. The stolen
contents cannot be irreversibly hidden.
Field codes and external updates can be exposed by selecting the following
menu options:
Word 2002, 2000, 97, 98(J): Tools|Options|View then selecting the ?Field
Codes? box.
Word X, 2001 for Macintosh: Edit|Preferences|View then selecting the ?Field
Codes? box.
Word 98 for Macintosh: Tools|Preferences|View then selecting the ?Field
Codes? box.
Excel 2002: Tools|Options|View|Formulas
This evidence, which will always be present, could be used if necessary to
pursue disciplinary or legal action against an attacker.
How can I remove any additional data that is present in a Word or Excel
document?
Microsoft Knowledge Base article Q223396 discusses how to check for and
remove additional data from Office documents.
Can I read my e-mail in Outlook using plain text?
This capability was introduced in Office XP SP1. Microsoft Knowledge Base
article Q307594 describes how to do this.
What do the patches do?
The Word patch changes the default behavior in Word to prevent those fields
that insert data from sources external to the current document, from
updating automatically, without direct user interaction to force such an
update for those fields. This puts the user in control of whether the update
is allowed to proceed. The Excel 2002 patch prompts the user in the one
situation where Excel 2002 will not request the user?s permission to refresh
external updates.
I'm a network administrator and I'd like to deploy the patch to my users,
rather than requiring them each to visit the OfficeUpdate site. Is there a
way to do this?
I'm a network administrator and I'd like to deploy the patch to my users,
rather than requiring them each to visit the OfficeUpdate site. Is there a
way to do this? Yes. An administrative update is available that will let you
do this. To download the administrative update, just visit the download
location for the appropriate version of Word and Excel. Links to the
administrative update are provided on the download pages.
Patch availability
Download locations for this patch
Microsoft Word 2002:
http://office.microsoft.com/downloads/2002/wrd1005.aspx
http://www.microsoft.com/office/ork/xp/journ/Wrd1005a.htm (administrative
update only)
Microsoft Word 2000:
http://office.microsoft.com/downloads/2000/wrd0902.aspx
Word 97/Word 98(J):
Information on receiving Word 97 & Word 98(J) support is available at:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q330080
Word X for Macintosh:
http://www.microsoft.com/mac/download/security.asp
Word 2001 for Macintosh:
http://www.microsoft.com/mac/download/security.asp
Word 98 for Macintosh:
http://www.microsoft.com/mac/download/security.asp
Excel 2002:
http://office.microsoft.com/downloads/2002/exc1003.aspx
http://www.microsoft.com/office/ork/xp/journ/Exc1003a.htm (administrative
update only)
Additional information about this patch
Installation platforms:
The Word 2002 patch can be installed on systems running Word 2002 with
Office XP Service Pack 2. (The administrative update can be installed on
systems running Office 2002 Service Pack 1 as well).
The Word 2000 patch can be installed on systems running Word 2000 with
Office 2000 Service Release 1 or Service Pack 2
The Word 98(J) patch can be installed on systems running Microsoft Word
98(J) Gold or any Word 98(J) service release, but is only supported on Word
98(J) Service Release 2b
The Word 97 patch can be installed on systems running Microsoft Word 97 Gold
or any Word 97 service release, but is only supported on Word 97 Service
Release 2b
The Word X for Macintosh patch can be installed on systems running the
latest version of Office v.X. To determine the latest version of Office,
look at http://www.microsoft.com/mac/download/misc/make_office_current.asp
The Word 2001 for Macintosh patch can be installed on systems running the
latest version of Office 2001. To determine the latest version of Office,
look at http://www.microsoft.com/mac/download/misc/make_office_current.asp
The Word 98 for Macintosh patch can be installed on systems running the
latest version of Office 98. To determine the latest version of Office, look
at http://www.microsoft.com/mac/download/misc/make_office_current.asp
The Excel 2002 patch can be installed on systems running Excel 2002 with
Office XP Service Pack 2. (The administrative update can be installed on
systems running Office 2002 Service Pack 1 as well).
Inclusion in future service packs:
The fix for this issue will be included in any future service packs for the
affected products.
Reboot needed: No
Patch can be uninstalled: No
Superseded patches: None.
Verifying patch installation:
Word 2002: Verify that the version number of Winword.exe is 10.0.4524.0
Word 2000: Verify that the version number of Winword.exe is 9.00.00.6926
Word 97/Word 98(J): Information on checking Word 97/Word 98(J) is available
at:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q330080
Word V for Macintosh: Information on checking Word x.V for Macintosh is
available at: http://www.microsoft.com/mac/download/security.asp
Word 2001 for Macintosh: Information on checking Word 2001 for Macintosh is
available at: http://www.microsoft.com/mac/download/security.asp
Word 98 for Macintosh: Information on checking Word 98 for Macintosh is
available at: http://www.microsoft.com/mac/download/security.asp
Excel 2002: Verify that the version number of Excel.exe is 10.0.4524.0
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in
?Patch Availability?.
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and can
be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Support:
Microsoft Knowledge Base article Q330008 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web
site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (October 16, 2002): Bulletin Created.
V1.1 (October 17, 2002): Updated to clarify that the Word 2002 patch can be
applied to systems running Word 2002 Service Pack 1 using the administrative
update.
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/O2Klist.cfm
Other related posts:
- » [office2000] SECURITY ALERT: Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure
