What's this bulletin about?
Microsoft Security Bulletin MS00-056 announces the availability of a patch that eliminates a vulnerability in certain Microsoft® Office 2000 products. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. A malicious user could exploit the vulnerability to construct an Office 2000 document, that, when opened by the user, would have either of two effects. In the less serious case, it could cause the Office 2000 application to fail. In the more serious case, it could cause code of the malicious user's choice to execute on the recipient's computer. Such code could take any action that the user was authorized to take on the machine, including reformatting the hard drive, communicating with an external web site, or changing data on the computer.
Word 2000 users can protect themselves from opening malformed HTML documents within Word by enabling "Confirm conversion at Open" from the Tools-Options-General tab. In addition, Outlook users who have applied the Outlook Security Update will be prompted before opening web hosted or mail-borne Office documents.
What causes the vulnerability?
The vulnerability results because the HTML interpreter used by Office 2000 contains an unchecked buffer in the module that interprets embedded object tags. This could allow a malicious user to create an Office 2000 document that, when opened, could cause code of his choice to run on the local computer.
What's an unchecked buffer, and why does it cause the vulnerability?
A buffer is a storage area within a program. When a program reads an input, it stores it within a buffer in the program's memory. However, it's important to ensure that the data will actually fit into the buffer before attempting to store it in the buffer, or a buffer overrun condition can result.
In a buffer overrun, the length of the data exceeds the length of the buffer, and this has the effect of enabling new code to be introduced into the program. The new code would be limited only by the user's authorization on the computer - anything the user was authorized to do on the computer, the new code could do as well.
What is an HTML interpreter?
An HTML interpreter is the engine that parses and displays HTML code that resides within Office documents. HTML code can include formatted links for web sites, email address, and objects residing on remote servers.
What is an Object Tag?
The Object tag is an HTML attribute to that is used to refer to other objects such as: Active X controls, Office documents, scriptlets, COM objects, etc.
Can I prevent Microsoft Office 2000 applications from interpreting documents with HTML?
Word 2000 users may set "Confirm conversion at Open" from the Tools-Options-General tab. This will cause all Word 2000 documents to be opened as plain text and would prevent them from being vulnerable to this problem.
How could a malicious user exploit this vulnerability?
The malicious user would need to create a specially crafted HTML file and save it as an Office document. The malicious user would then have to cause the document to be opened by another user. When the victim user opened the document, the Object tag data would overflow the buffer of the HTML interpreter and cause it to execute arbitrary code.
The effect of the overrun would depend on the data that the malicious user had put into the Object tag. If it were random data, the effect would be to cause the Office application to fail. However, if it were carefully selected, it could be used to make the Office application perform other functions of the malicious user's choice.
Are Macintosh versions of Office 2000 affected?
No, this vulnerability does not affect Macintosh versions of the software.
Are any versions of Microsoft Project affected by this vulnerability?
No.
Are any versions of Microsoft Access affected by this vulnerability?
No.
Are any versions of Outlook or Outlook Express affected by this vulnerability?
No. Outlook users who utilize Word 2000 as their email editor will not be vulnerable after applying this patch.
Who should use the patch?
Microsoft recommends that all users of the listed Office 2000 applications consider installing the patch.
What does the patch do?
The patch modifies the software to check the length of the Object tag in question so as to ensure that a buffer overflow will not occur.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
Knowledge Base article Q269880 contains detailed instructions for applying the patch to your site. Office SR-1 is required before this patch can be applied.
How can I tell if I installed the patch correctly?
Knowledge Base article Q269880 provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued Knowledge Base article Q269880 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
