Security Bulletin

Microsoft Security Bulletin MS00-056 - Critical

Patch Available for 'Microsoft Office HTML Object Tag' Vulnerability

Published: August 09, 2000 | Updated: February 28, 2003

Version: 1.2

Originally posted: August 09, 2000
Updated: February 28, 2003

Summary

Microsoft has released a patch that eliminates a security vulnerability in certain Microsoft® Office 2000 products. The vulnerability could allow a user to construct a HyperText Markup Language (HTML) file that, when read, would crash a Microsoft Office 2000 application or potentially run arbitrary or malicious code.

Affected Software:

• Microsoft Word 2000
• Microsoft Excel 2000
• Microsoft PowerPoint 2000

(These products ship as part of the Office 2000 suite and as stand-alone products)

Note Previous versions of these products are not affected by this vulnerability.

Note Office 2000 products other than those specifically listed above are not affected by this vulnerability.

Vulnerability Identifier: CVE-2000-0765

General Information

Technical details

Technical description:

Microsoft Office 2000 applications are capable of reading HTML files saved as Office documents. A malformed data object tag embedded in one of these documents could cause the Office application to crash and allow arbitrary code to be executed.

In order for this behavior to occur, a malicious user would need to entice a user into opening the malformed Office document. Word 2000 users can protect themselves from opening malformed HTML documents within Word by enabling "Confirm conversion at Open" from the Tools-Options-General tab. In addition, Outlook users who have applied the Outlook Security Update will be prompted before opening web hosted or mail-borne Office documents.

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-056 announces the availability of a patch that eliminates a vulnerability in certain Microsoft® Office 2000 products. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. A malicious user could exploit the vulnerability to construct an Office 2000 document, that, when opened by the user, would have either of two effects. In the less serious case, it could cause the Office 2000 application to fail. In the more serious case, it could cause code of the malicious user's choice to execute on the recipient's computer. Such code could take any action that the user was authorized to take on the machine, including reformatting the hard drive, communicating with an external web site, or changing data on the computer. Word 2000 users can protect themselves from opening malformed HTML documents within Word by enabling "Confirm conversion at Open" from the Tools-Options-General tab. In addition, Outlook users who have applied the Outlook Security Update will be prompted before opening web hosted or mail-borne Office documents.

What causes the vulnerability?
The vulnerability results because the HTML interpreter used by Office 2000 contains an unchecked buffer in the module that interprets embedded object tags. This could allow a malicious user to create an Office 2000 document that, when opened, could cause code of his choice to run on the local computer.

What's an unchecked buffer, and why does it cause the vulnerability?
A buffer is a storage area within a program. When a program reads an input, it stores it within a buffer in the program's memory. However, it's important to ensure that the data will actually fit into the buffer before attempting to store it in the buffer, or a buffer overrun condition can result. In a buffer overrun, the length of the data exceeds the length of the buffer, and this has the effect of enabling new code to be introduced into the program. The new code would be limited only by the user's authorization on the computer - anything the user was authorized to do on the computer, the new code could do as well.

What is an HTML interpreter?
An HTML interpreter is the engine that parses and displays HTML code that resides within Office documents. HTML code can include formatted links for web sites, email address, and objects residing on remote servers.

What is an Object Tag?
The Object tag is an HTML attribute to that is used to refer to other objects such as: Active X controls, Office documents, scriptlets, COM objects, etc.

Can I prevent Microsoft Office 2000 applications from interpreting documents with HTML?
Word 2000 users may set "Confirm conversion at Open" from the Tools-Options-General tab. This will cause all Word 2000 documents to be opened as plain text and would prevent them from being vulnerable to this problem.

How could a malicious user exploit this vulnerability?
The malicious user would need to create a specially crafted HTML file and save it as an Office document. The malicious user would then have to cause the document to be opened by another user. When the victim user opened the document, the Object tag data would overflow the buffer of the HTML interpreter and cause it to execute arbitrary code. The effect of the overrun would depend on the data that the malicious user had put into the Object tag. If it were random data, the effect would be to cause the Office application to fail. However, if it were carefully selected, it could be used to make the Office application perform other functions of the malicious user's choice.

Are Macintosh versions of Office 2000 affected?
No, this vulnerability does not affect Macintosh versions of the software.

Are any versions of Microsoft Project affected by this vulnerability?
No.

Are any versions of Microsoft Access affected by this vulnerability?
No.

Are any versions of Outlook or Outlook Express affected by this vulnerability?
No. Outlook users who utilize Word 2000 as their email editor will not be vulnerable after applying this patch.

Who should use the patch?
Microsoft recommends that all users of the listed Office 2000 applications consider installing the patch.

What does the patch do?
The patch modifies the software to check the length of the Object tag in question so as to ensure that a buffer overflow will not occur.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How do I use the patch?
Knowledge Base article Q269880 contains detailed instructions for applying the patch to your site. Office SR-1 is required before this patch can be applied.

How can I tell if I installed the patch correctly?
Knowledge Base article Q269880 provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued Knowledge Base article Q269880 explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch

• Microsoft Word 2000, Excel 2000, PowerPoint 2000: https://office.microsoft.com/downloads/2000/Of9data.aspx
  Note Office 2000 SR-1 is required before this patch can be applied.

Additional information about this patch

Installation platforms: Please see the following references for more information related to this issue.

• Microsoft Knowledge Base (KB) article Q269880

Other information:

Acknowledgments

Microsoft thanks Jesper M. Johansson for reporting this issue to us and working with us to protect customers.

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at https:.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (August 09, 2000): Bulletin Created.
• V1.1 (August 10, 2000): Bulletin updated to change 'disabling' to 'enabling' in the second paragraph under Issue.
• V1.2 (February 28, 2003): Updated download link for patch.

Built at 2014-04-18T13:49:36Z-07:00 </https:>