What's the scope of the vulnerability?
This vulnerability could enable a malicious user to create specially formed Excel or PowerPoint files that would bypass macro security and execute automatically when the document is opened. Because macros by design can take any action that the user is able to take, this vulnerability could allow an attacker to take actions such as changing or deleting data, communicating with web sites, or changing the macro security settings.
This would not be able to take any actions that the user is not normally capable of. As such, access controls that limit the user's abilities would also limit the ability of the malicious documents. Further, a successful attack would require that the user open the malicious document. Best practices recommend that users not open documents from unknown or untrusted sources.
What causes the vulnerability?
The vulnerability results because the macro detecting framework can fail to detect all instances in which the macro processor can execute macro commands. When a valid document is intentionally designed to obfuscate the presence of macros, it is still possible for those marcos to execute.
What are macros?
Macros are small programs within applications such as Excel and PowerPoint. When macros run, they can take actions within the application or the operating system as if they were the user. An example of a simple action a macro might take in an application would be to find and replace text within a document. A more sophisticated macro might include features that perform automatic formatting on a document, copy files from the local system to the network, and send review copies by email.
Because macros are really small programs, it is possible for attackers to create malicious macros that take undesirable actions, such as deleting files, sending unwanted messages by email, or changing the data in documents. To help protect against malicious macros, Excel and PowerPoint have a security model that prevent macros from executing without warning.
What's wrong with the macro protection in Excel and PowerPoint?
It is possible for a malicious user to create a specially malformed Excel or PowerPoint document that would bypass the macro protections and allow macros to execute automatically.
Is it possible to create a document like this by accident?
No. It is not possible to create a document that bypasses macro protection by accident. It would require very specific, detailed knowledge and such a document would have to be specifically constructed with malicious intent.
What could an attacker use this vulnerability to do?
This could allow an attacker to craft a malicious document with macro code that would run automatically when the user opened the document.
What actions could the malicious document take?
Because macros take action on behalf of the user, a macro virus that ran would be able to take actions that the user himself is able to take, including changing or deleting files, sending data to external web sites, or reformatting the hard drive.
It's important to highlight that this means that it is possible for a macro virus to reset the user's security settings. A successful macro virus attack could leave a system vulnerable to future attack by disabling the security settings.
How would an attacker carry out an attack against this vulnerability?
An attacker could carry out an attack by several different routes. She could host a malicious document on a web site internally or on the Internet. She could place a malicious document on any file server to which she had appropriate permissions. Additionally, she could target specific individuals by sending a copy through email.
It's important to note that all attempts to carry out an attack require the potential victim to open the document. It is not possible to exploit this vulnerability without the user's action. Opening documents only from known, trusted sources will help to protect against an attempt to maliciously exploit this vulnerability.
What does the patch do?
The patch eliminates the vulnerability by improving the code which detects the presence of macros in these document types.
Who should apply the patch?
Anyone using or administering systems running the affected software versions should apply the patch
I'm running Excel 97 and/or PowerPoint 97, does this issue affect me?
First, it's important to understand that Excel and PowerPoint 97 do not have the same macro security framework as Excel and PowerPoint 2000 and 2002. The Excel and PowerPoint 97 macro security framework lacks many key features that the 2000 and 2002 macro security framework has, including a digital signature trust model that allows trusted, signed macros to be differentiated from untrusted, unsigned macros. Under this older framework, it is difficult for a user to make an informed decision regarding the trustworthiness of macros.
In addition, as noted under "Tested Versions", Excel and PowerPoint 97 are no longer supported products.
Because of these two issues, customers who are concerned about macro security are urged to upgrade to a support version with a more robust macro security model.
Are other members of the Office Suite vulnerable?
No. All members of the Office Suites for Windows and Macintosh were tested. No other products in the Office Suite were found to be vulnerable.
