M-117: Microsoft Office Web Components Vulnerabilities
Privacy and Legal Notice
INFORMATION BULLETIN
M-117: Microsoft Office Web Components Vulnerabilities
[Microsoft Security Bulletin MS02-044]
August 23, 2002 21:00 GMT
|
| PROBLEM: |
Office Web Components (OWC) is a component of several Microsoft
products and provides Microsoft Office functionality within a
Web browser. There are three new vulnerabilities in the Active
X controls that result from implementation errors in the
methods and functions that the controls expose.
|
| AFFECTED SOFTWARE: |
Office Web Components 2000, Office Web Components 2002
|
| DAMAGE: |
A remote attacker could issue commands against the user's system;
could read files on the user's machine; could gain access to
whatever data is in the Windows clipboard.
|
| SOLUTION: |
Apply appropriate patch for Microsoft product as prescribed
in Microsoft's Security Bulletin.
|
|
VULNERABILITY
ASSESSMENT: |
The risk is MEDIUM. The most serious vulnerability could allow an attacker
to execute arbitrary commands on a user's system. Also, an attacker could
easily integrate the vulnerability into mass-emailing Internet worms.
|
|
[***** Start Microsoft Security Bulletin MS02-044 *****]
Unsafe Functions in Office Web Components (Q328130)
Originally posted: August 21, 2002
Summary
Who should read this bulletin: All customers using Office Web Components,
which is available as a stand-alone download and included as part of the
Microsoft® products detailed below.
Impact of vulnerability: Three vulnerabilities, the most serious of which
could allow an attacker to run commands on the user's system.
Maximum Severity Rating: Critical
Recommendation: Customers using these products should install the
appropriate patches immediately.
Affected Software:
- Microsoft Office Web Components 2000
- Microsoft Office Web Components 2002
Products which Include the Affected Software:
- Microsoft BackOffice® Server 2000
- Microsoft BizTalk® Server 2000
- Microsoft BizTalk Server 2002
- Microsoft Commerce Server 2000
- Microsoft Commerce Server 2002
- Microsoft Internet Security and Acceleration Server 2000
- Microsoft Money 2002
- Microsoft Money 2003
- Microsoft Office 2000
- Microsoft Office XP
- Microsoft Project 2002
- Microsoft Project Server 2002
- Microsoft Small Business Server 2000
Technical details
Technical description:
The Office Web Components (OWC) contain several ActiveX controls that give
users limited functionality of Microsoft Office in a web browser without
requiring that the user install the full Microsoft Office application.
This allows users to utilize Microsoft Office applications in situations
where installation of the full application is infeasible or undesirable.
The control contains three security vulnerabilities, each of which could be
exploited either via a web site or an HTML mail. The vulnerabilities result
because of implementation errors in the following methods and functions the
controls expose:
- Host(). This function, by design, provides the caller with access to
applications’ object models on the user’s system. By using the Host()
function, an attacker could, for instance, open an Office application on
the user’s system and invoke commands there that would execute operating
system commands as the user.
- LoadText(). This method allows a web page to load text into a browser
window. The method does check that the source of the text is in the same
domain as the window, and in theory should restrict the page to only
loading text that it hosts itself. However, it is possible to circumvent
this restriction by specifying a text source located within the web page’s
domain, and then setting up a server-side redirect of that text to a file
on the user’s system. This would provide an attacker with a way to read
any desired file on the user’s system.
- Copy()/Paste(). These methods allow text to be copied and pasted. A
security vulnerability results because the method does not respect the
“disallow paste via script” security setting in IE. Thus, even if this
setting had been selected, a web page could continue to access the copy
buffer,and read any text that the user had copied or cut from within
other applications.
The patch does not set "kill bit" on the control, for reasons discussed
in the FAQ.
Mitigating factors:
Overall:
- In the case of the web-based attack, an attacker would need to force a
user to visit the attacker’s Web site. Users who exercise caution in
visiting web sites could minimize their risk.
- In the web based attack, If ActiveX controls have been disabled in the
zone in which the page were viewed, the vulnerability could not be
exploited. Users who place untrusted sites in the Restricted Sites zone,
which disables ActiveX by default, or have disabled ActiveX controls in
the Internet zone could minimize their risk.
- In the case of HTML email based attacks, customers who read email in
the Restricted Sites zone would be protected against attempts to exploit
this vulnerability. Customers using Outlook 2002 and Outlook Express
6.0, as well as Outlook 2000 and Outlook 98 customers who have
applied the Outlook Email Security Update would thus be protected by
default. Also, Outlook Express 5.0 customers who have chosen to read
mail in the Restricted Sites zone would be protected by default.
- In the HTML email based attack, Outlook 2002 customers who have
enabled the "Read as Plain Text" option available in SP1 or later would
also be protected.
Host() Vulnerability:
- The attacker's code would be limited by restrictions on the user's account.
Users of non-privileged accounts would limit the potential damage from a
successful attack.
LoadText():
- The attacker would need to know the full path and name of the file.
Copy()/Paste():
- The vulnerability could enable an attacker to access only to information in
the Windows clipboard. The information in the clipboard is unpredictable
and this vulnerability gives no means for an attacker to target and retrieve
specific information. Further, it is possible for the clipboard to be empty,
which would yield an attacker nothing.
- The security setting in question is not enabled by default. Thus, the
vulnerability does not present a threat to the default installation.
Host() Vulnerability:
Internet Servers IntranetServers Client Systems
Office Web
Components 2000 Moderate Moderate Critical
Office Web
Components 2002 Moderate Moderate Critical
LoadText() Vulnerability:
Internet Servers IntranetServers Client Systems
Office Web
Components 2000 Low Low Critical
Office Web
Components 2002 Low Low Critical
Copy()/Paste() Vulnerability:
Internet Servers IntranetServers Client Systems
Office Web
Components 2000 Low Low Low
Office Web
Components 2002 Low Low Low
Aggregate Severity of All Vulnerabilities Addressed by this patch:
Office Web
Components 2000 Moderate Moderate Critical
Office Web
Components 2002 Moderate Moderate Critical
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them. While the OWC are
installed in conjunction with server products, best practices recommends
against the usage patterns, visiting untrusted web sites and reading
HTML email, required to exploit these vulnerabilities on servers.
Vulnerability identifiers:
- Host() Vulnerability: CAN-2002-0727
- LoadText() Vulnerability: CAN-2002-0860
- Copy()/Paste() Vulnerability: CAN-2002-0861
Tested Versions:
Microsoft tested the following products Office Web Components 2000 and
Office Web Components 2002 to assess whether they are affected by this
vulnerability. There were no previous versions of OWC. In addition,
Microsoft investigated all supported versions of the software listed in
the "Products which Includes the Affected Software" section to determine
whether they included the vulnerable software. Previous versions are no
longer supported, and may or may not be affected by these vulnerabilities.
Patch availability
Download locations for this patch
Additional information about this patch
Installation platforms:
General Patch:
- Microsoft BackOffice Server 2000 Gold or later
- Microsoft BizTalk Server 2000 Gold or later
- Microsoft BizTalk Server 2002 Gold or later
- Microsoft Commerce Server 2000 Gold or later
- Microsoft Commerce Server 2002 Gold or later
- Microsoft Internet Security and Acceleration Server 2000 Gold or later
- Microsoft Money 2002 or later
- Microsoft Money 2003 or later
- Microsoft Office 2000 Gold or later
- Microsoft Office XP Gold or later
- Microsoft Project Server 2002 Gold or later
- Microsoft Small Business Server 2000 Gold or later
Microsoft Project 2002 Patch:
- Microsoft Project 2002 Gold or later
Microsoft Project Server 2002 Patch:
- Microsoft Project Server 2002 Gold or later
Inclusion in future service packs:
The fix for this issue is included in Office XP Service Pack2.
Reboot needed: No reboot is required if all Office applications are closed
when the patch is applied.
Patch can be uninstalled: No
Superseded patches: None.
Verifying patch installation:
- General patch: Verify the file versions as discussed in Q322382.
- Microsoft Project 2002 patch: Verify the file versions as discussed in
Q328043.
- Microsoft Project Server 2002 patches: Verify the file versions as
discussed in Q328044.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed
in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
- Security patches are available from the Microsoft Download Center, and
can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate
web site
Other information:
Support:
- Microsoft Knowledge Base article Q328130 discusses this issue and will
be available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support
web site.
- Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall Microsoft
Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidentaldamages so the foregoing limitation may not apply.
Revisions:
- V1.0 (August 21, 2002): Bulletin Created.
- V1.1 (August 22, 2002): Bulletin updated to correct factual error
regarding the type of files that can be read using the LoadText() method.
[***** End Microsoft Security Bulletin MS02-044 *****]
CIAC wishes to acknowledge the contributions of Microsoft Corporation and Internet Security Systems for the
information contained in this bulletin.
DOE-CIRC can be contacted at:
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/