INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | EXCEL - A security vulnerability that could allow malicious code execution
exists in the Microsoft Excel method used to check the spreadsheet before
reading the macro instructions.
WORD - A security vulnerability that could allow malicious code execution in Microsoft Word exists due to to the way Word checks the length of a data value (Macro names) embedded in a document. |
| PLATFORM: | Microsoft Excel 97 Microsoft Excel 2000 Microsoft Excel 2002 Microsoft Word 97 Microsoft Word 98(J) Microsoft Word 2000 Microsoft Works Suite 2001 Microsoft Word 2002 Microsoft Works Suite 2002 Microsoft Works Suite 2003 Microsoft Works Suite 2004 |
| DAMAGE: | EXCEL - an attacker could craft a malicious file that could bypass the
macro security model. Having access to the same permissions as the user,
the malicious macro could perform various actions.
WORD - If a specially crafted document were to be opened it could overflow a data value in Word and allow arbitrary code to be executed. Having access to the same permissions as the user, the attacker could perform various actions. |
| SOLUTION: | Apply patches as recommended by Microsoft. EXCEL - This patch replaces the security patches contained in the following bulletins:MS01-050(CIAC Bulletin M-004), MS02-031, and MS02-059. WORD - This patch replaces the security patches contained in the following bulletins: MS02-021(CIAC Bulletin M-073), MS02-031, MS02-059 and MS03-035(CIAC Bulletin N-142). |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. These vulnerabilities could only be exploited by an attacker who persuaded a user to open a malicious file. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/o-023.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-050.asp |
| CVE/CAN: | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0820 CAN-2003-0821 |
[***** Start Microsoft Security Bulletin MS03-050 *****] Microsoft Security Bulletin MS03-050 Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run (831527) Issued: November 11, 2003 Version: 1.0 See all Office bulletins released November, 2003 Summary Who should read this document: Customers who are using Microsoft® Excel or Microsoft Word Impact of vulnerability: Run code of attackers choice Maximum Severity Rating: Important Recommendation: Customers who are using the affected versions of Microsoft Excel or Microsoft Word should apply the appropriate security update at the earliest opportunity. Security Update Replacement Excel: This patch replaces the security patches contained in the following bulletins: MS01-050, MS02-031 and MS02-059. Security Update Replacement Word: This patch replaces the security patches contained in the following bulletins: MS02-021, MS02-031, MS02-059 and MS03-035. Caveats: None Tested Software and Security Update Download Locations: Affected Software: Microsoft Excel 97 - Download the update Microsoft Excel 2000 - Download the update Microsoft Excel 2002 - Download the update Microsoft Word 97 - Download the update Microsoft Word 98(J) - Download the update Microsoft Word 2000 and Microsoft Works Suite 2001 - Download the update Microsoft Word 2002, Microsoft Works Suite 2002, Microsoft Works Suite 2003, and Microsoft Works Suite 2004 - Download the update Non Affected Software: Microsoft Office Word 2003 Microsoft Office Excel 2003 The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected. Technical Details Technical description: A security vulnerability exists in Microsoft Excel that could allow malicious code execution. This vulnerability exists because of the method Excel uses to check the spreadsheet before reading the macro instructions. If successfully exploited, an attacker could craft a malicious file that could bypass the macro security model. If an affected spreadsheet was opened, this vulnerability could allow a malicious macro embedded in the file to be executed automatically, regardless of the level at which the macro security is set. The malicious macro could then take the same actions that the user had permissions to carry out, such as adding, changing or deleting data or files, communicating with a web site or formatting the hard drive. A security vulnerability exists in Microsoft Word that could allow malicious code execution. This vulnerability exists due to to the way Word checks the length of a data value (Macro names) embedded in a document. If a specially crafted document were to be opened it could overflow a data value in Word and allow arbitrary code to be executed. If successfully exploited, an attacker could then take the same actions as the user had permissions to carry out, such as adding, changing or deleting data or files, communicating with a web site or formatting the hard drive. Mitigating factors: If a user of Office 97 or Office 2000 has installed the Office Documentation Open Confirm Tool, the user will always get a “file open” warning dialog box when trying to open an Office document using Internet Explorer. For Office XP and Office System 2003 this “file open” warning dialog box is enabled by default. These vulnerabilities could only be exploited by an attacker who persuaded a user to open a malicious file – there is no way for an attacker to force a user to open a malicious file. Severity Rating: Microsoft Excel 97 Important Microsoft Excel 2000 Important Microsoft Excel 2002 Important Microsoft Word 97 Important Microsoft Word 98(J) Important Microsoft Word 2000 Important Microsoft Word 2002 Important Microsoft Works Suite 2001 Important Microsoft Works Suite 2002 Important Microsoft Works Suite 2003 Important Microsoft Works Suite 2004 Important The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier Word: CAN-2003-0820 Vulnerability identifier Excel: CAN-2003-0821 Workarounds Due to the fact that this vulnerability bypasses the built-in macro security, the best workaround if you are unable to deploy the update is to not open documents from un-trusted sources. Security Update Information For information about the specific security update for your platform, click the appropriate link: For Microsoft Works Suite 2001 use the Word 2000 section For Microsoft Works Suite 2002, 2003 and 2004 update use the Word 2002 section Acknowledgments Microsoft thanks for working with us to protect customers: Kazuyuki Housaka for reporting the issue in Excel. Obtaining other security updates: Updates for other security issues are available from the following locations: Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Updates for consumer platforms are available from the WindowsUpdate web site Support: Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches. International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at http://support.microsoft.com/common/international.aspx Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Microsoft Software Update Services: http://www.microsoft.com/sus/">http://www.microsoft.com/sus/">http://www.microsoft.com/sus/"> http://www.microsoft.com/sus/">http://www.microsoft.com/sus/ Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/technet/security/tools/mbsahome.asp. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security updates that have detection limitations with MBSA tool. Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/officeupdate/ Software Update Services (SUS): Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional. For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site: http://www.microsoft.com/sus/ Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer. Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (November 11, 2003): Bulletin published [***** End Microsoft Security Bulletin MS03-050 *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/