|
Brought to you by:
Suppliers of:
|
|
|
| |
Word, like other members of the Office product family, provides a security mechanism that requires the user's approval to run macros. By design, any time a document is opened Word scans it for macros. If any are found, they are handled in accordance with user's selected security settings. By default in Word 2000 and 2002, only macros that are signed by a trusted party are enabled; all others are disabled. In Word 97, if the document contains macros, the user is prompted regarding whether to enable them or disable them.
A vulnerability results because it is possible to modify a Word document in such a way as to prevent the security scanner from recognizing an embedded macro while still allowing it to execute. Exploiting the vulnerability would enable an attacker to cause a macro to run automatically when such a document was opened. Such a macro would be able to take any action that the user herself could take. This could include disabling the user's Word security settings so that subsequently opened Word documents would no longer be checked for macros. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected software:
* Microsoft Word 2002
* Microsoft Word 2000
* Microsoft Word 97
* Microsoft Word 98 (J)
* Microsoft Word 2001 for Macintosh
* Microsoft Word 98 for Macintosh
Mitigating factors:
* The vulnerability only affects Word. Other Office products are not affected.
* Customers using the Outlook E-mail Security Update (which is included as part of Word 2002) will be protected from any worm viruses contained in Word documents.
Patch availability:
Download locations for this patch
* Microsoft Word 2002:
http://office.microsoft.com/downloads/2002/wrd1001.aspx
* Microsoft Word 2000:
http://office.microsoft.com/downloads/2000/wd2kmsec.aspx
* Microsoft Word 97:
http://office.microsoft.com/downloads/9798/wd97mcrs.aspx
* Microsoft Word 98 (J) for Windows:
Patch will be available shortly
* Microsoft Word 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/wordmacro.asp
* Microsoft Word 98 for Macintosh:
http://www.microsoft.com/mac/download/office2001/wordmacro98.asp
What's the scope of the vulnerability?
This vulnerability could enable an attacker to create a document that, when opened in Word, would run a macro without asking for the user's permission. Macros are able to take any action the user is capable of taking, and as a result this vulnerability could give an attacker an opportunity to take actions such as changing data, communicating with web sites, reformatting the hard drive or changing the Word security settings.
The vulnerability only affects Word - other members of the Office product family are not affected.
What causes the vulnerability?
The vulnerability results because it is possible to create a Word document to be malformed in such a way as to evade Word's normal macro security scans.
What's a macro?
In general, the term macro refers to a small program that automates commonly performed tasks within an operating system or an application. For instance, all members of the Office family of products support the use of macros. This allows, for instance, companies to develop macros that perform as sophisticated productivity tools running within Word, Excel, or other programs.
Like any computer program, though, macros can be misused. In particular, because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the user wants them to. In this case, however, there is a flaw in the security model, which can occur when opening the malformed document.
What's wrong with how Word scans documents for macros?
By design, any modification to a Word document that prevents Word from identifying embedded macros should also have the effect of corrupting the macros so that they cannot execute. The vulnerability results because this is not true in one case. That is, it is possible to alter a Word document so that macros embedded within it will not be recognized as macros by Word's security architecture, but the part of Word that executes macros will still recognize them and run them.
It would not be possible to create such a document directly in Word. Instead, the attacker would need to perform low-level editing on a bona fide Word document, in order to introduce the needed malformations.
What could this enable an attacker to do?
An attacker could use this vulnerability to bypass the normal Word security model. Specifically, if he created a malformed document containing a macro and was able to persuade another user to open the Word file, the macro in the file would run without asking the user's permission.
What could the macro do?
The macro would be able to take any action that the user herself could take on her machine. This would include adding, changing or deleting files, communicating with a web site, reformatting the hard drive, and so forth.
It's worth noting that a macro also could change the user's security setting. This could include disabling macro protection. As a result, if the user were attacked via this vulnerability, one of the outcomes could be that the user's security settings would be reduced, and other macros that normally would be stopped by Word would now be able to run.
How would the attacker deliver the document to the other user?
The attacker would have a variety of options. He could host it on a web site or, if he had sufficient access, save it on a share. Likewise, he could target a particular user by sending it to her via e-mail or passing it to her on a floppy disk.
Does the vulnerability affect any Office products other than Word?
No. Though other Office applications use macros, Word is the only product affected by this vulnerability.
What does the patch do?
The patch eliminates the vulnerability by causing the correct macro checking to be performed even when opening a document that has been malformed in the way discussed above.
What is Word 98(J)?
Word 98(J) is a release of Word that is available only in Japanese. For all other languages, the version of Word immediately following Word 97 was Word 2000 -- there was no Word 98. In the special case of Japanese, however, there was an intermediate release between Word 97 and Word 2000, known as Word 98(J).
|
|
|
|
|
