Microsoft Security Bulletin MS02-031
Cumulative Patches for Excel and Word for Windows (Q324458)
Originally posted: June 19, 2002
Updated: February 28th, 2003
Summary
Who should read this bulletin:
Customers using Microsoft® Excel for Windows® or Microsoft Word for Windows.
Impact of vulnerability:
Run code of attacker's choice.
Maximum Severity Rating:
Moderate
Recommendation:
Customers should apply the patches.
Affected Software:
- Microsoft Excel 2000 for Windows
- Microsoft Office 2000 for Windows
- Microsoft Excel 2002 for Windows
- Microsoft Word 2002 for Windows
- Microsoft Office XP for Windows
General Information
Technical details
Technical description:
This is a set of cumulative patches that, when applied, applies all previously released fixes for these products.
In addition, these patches eliminate four newly discovered vulnerabilities all of which could enable an attacker to run Macro code on a user's machine. The attacker's macro code could take any actions on the system that the user was able to.
- An Excel macro execution vulnerability that relates to how inline macros that are associated with objects are handled. This vulnerability could enable macros to execute and bypass the Macro Security Model when the user clicked on an object in a workbook.
- An Excel macro execution vulnerability that relates to how macros are handled in workbooks when those workbooks are opened via a hyperlink on a drawing shape. It is possible for macros in a workbook so invoked to run automatically.
- An HTML script execution vulnerability that can occur when an Excel workbook with an XSL Stylesheet that contains HTML scripting is opened. The script within the XSL stylesheet could be run in the local computer zone.
- A new variant of the "Word Mail Merge" vulnerability first addressed in MS00-071. This new variant could enable an attacker's macro code to run automatically if the user had Microsoft Access present on the system and chose to open a mail merge document that had been saved in HTML format.
Mitigating factors:
Excel Inline Macros Vulnerability:
- A successful attack exploiting this vulnerability would require that the user accept and open a workbook from an attacker and then click on an object within the workbook.
Hyperlinked Excel Workbook Macro Bypass:
- A successful attempt to exploit this vulnerability would require that the user accept and open an attacker's workbook and click on a drawing shape with a hyperlink.
- An attacker's destination workbook would have to be accessible to the user, either on the local system on an accessible network location.
Excel XSL Stylesheet Script Execution:
- A user would have to accept and open an attacker's workbook to exploit this vulnerability.
- In addition, the user would have to acknowledge a security warning by selecting the non-default option.
Variant of MS00-071, Word Mail Merge Vulnerability:
- The Word mail merge document would have to be saved in HTML format. As Word is not the default handler for HTML applications, the user would have to choose to open the document in Word, or acknowledge a security warning.
- A successful attack requires that Access be installed locally.
- The attacker's data source has to be accessible to the user across a network.
Severity Rating:
Excel Inline Macros Vulnerability:
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| Excel 2000 | Low | Low | Moderate |
| Excel 2002 | Low | Low | Moderate |
Hyperlinked Excel Workbook Macro Bypass:
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| Excel 2000 | Low | Low | Low |
| Excel 2002 | Low | Low | Low |
Excel XSL Stylesheet Script Execution:
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| Excel 2000 | Low | Low | Moderate |
| Excel 2002 | Low | Low | Moderate |
Variant of MS00-071, Word Mail Merge Vulnerability:
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| Word 2002 | Low | Low | Moderate |
Aggregate Severity of all vulnerabilities addressed by this patch (including issues addressed in previously released patches):
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| Excel 2000 | Low | Low | Moderate |
| Excel 2002 | Low | Low | Moderate |
| Word 2002 | Low | Low | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Word and Excel are primarily intended for use on client systems. All vulnerabilities require some degree of user interaction for a successful attack. The Hyperlinked Excel Workbook Macro Bypass requires that an attacker make a malicious workbook available either locally or on the network, in addition to enticing the user to accept a different workbook and click on a hyperlinked shape within it.
Vulnerability identifiers:
- Excel Inline Macros Vulnerability:CAN-2002-0616
- Hyperlinked Excel Workbook Macro Bypass: CAN-2002-0617
- Excel XSL Stylesheet Script Execution: CAN-2002-0618
- Variant of MS00-071, Word Mail Merge Vulnerability: CAN-2002-0619
Tested Versions:
Microsoft tested Excel 2000, Excel 2002, Word 2000, and Word 2002 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
What vulnerabilities are eliminated by this patch?
This is a cumulative patch that, when applied, address all previously addressed vulnerabilities. In addition, it eliminates four new vulnerabilities:
- A macro execution vulnerability in Excel that results from a flaw in how Excel handles inline Macros.
- A macro execution vulnerability in Excel that results from a flaw in how macros in external workbooks are handled when opened by a hyperlink on a drawing shape within a workbook.
- A script execution vulnerability related to how Excel processes workbooks that contain XSL style
- A variant of the "Word Mail Merge" vulnerability first addressed in MS00-071.
Excel Inline Macros Vulnerability: (CAN-2002-0616):
What's the scope of the first vulnerability?
This vulnerability could enable an attacker to cause macros contained within an Excel workbook to execute outside of the constraints of the macro security settings. Because macros by design can take any action that a user can take, this vulnerability has the net effect of enabling an attacker to take the same actions on the system that the user is capable of including adding, changing or deleting data, communicating with web sites, or changing security settings, including the macro security settings.
An attacker could not automate an attack using this vulnerability: the user would have to be enticed into taking an action after opening the attacker's workbook. In addition, any constraints that limit the user's actions would also inhibit the attacker's macros.
What causes the vulnerability?
The vulnerability results because of a flaw in how Excel handles specially formatted inline macros that are attached to objects within a workbook. It's possible to assign a macro to an object in such a way that the Macro Security Model fails to correctly recognize it as a macro. As a consequence, when the object is activated and the macro is called, the Macro Security Model is bypassed, and the macro runs with no security restrictions.
In addition to the cells that are usually associated with a spreadsheet, Excel provides support for objects within workbooks. There are many objects that Excel makes available, but some commonly known objects include drawing objects, such as charts and graphs, command buttons, and menu buttons, among others.
These objects make available a variety of functions and capabilities, based on their type, but in general they help expand the capabilities of Excel from being a simple spreadsheet program to a full fledged application development environment.
What are inline macros?
To support the expanded functionality that objects provide, one of the capabilities that all objects in Excel support is the ability to assign a macro to an object. This macro can then provide any code-based functionality to the object that the user or developer wants to add.
For example, suppose that a user has developed a spreadsheet for calculating mortgage rates and the user wants to be able to recalculate rates. The user can add a command button to the spreadsheet and then assign a macro that performs the desired calculations to that object. The user can then click on the command button to run the macro assigned to it and thus recalculate the mortgage rates.
By design, macros that are assigned to an object can be stored in a macro code module. However, in the case of this vulnerability it can be entered directly into the object's properties. In this case the macro is referred to as an "inline macro" because the macro code is actually stored inline with the object's properties.
What is the Office Macro Security Model?
Macros are, in essence, small programs. As with programs, it is possible for malicious users to create hostile macros that seek to cause harm or disruption to the system by taking actions such as deleting files, changing security settings, or altering data in files. To help protect against hostile macros, members of the Office family support a Macro Security Model that helps users ensure that only safe, authorized macros are run while unsafe, untrusted macros are disabled.
What's wrong with how Excel handles inline macros attached to objects?
There is a flaw in how the Macro Security Model detects the presences of inline macros within Excel objects. Specifically, the Macro Security Model fails to correctly detect the macro.
What could this vulnerability enable an attacker to do?
Because the flaw causes the Macro Security Model to fail to detect the presence of a macro, this flaw can provide a means by which an attacker could bypass the Macro Security Model entirely. As a result, the attacker could make macro code run that would otherwise be disabled.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by crafting an Excel workbook and inserting an object into the workbook. The attacker would then assign an inline macro to the object. The attacker would have to entice the user to open the malicious workbook and then activate the object by clicking on it. However, the attacker could take steps to obscure the object in such a way that the user may not recognize the presence of an object and inadvertently activate the object simply by clicking on the spreadsheet itself.
What does the patch do?
The patch eliminates the vulnerability by disabling all inline macros in the Medium and High security settings.
Does this mean that inline macros are still enabled in the Low Security Setting?
Yes. However, the Low security setting provides no protections against hostile macros. As a result, in this security setting, there is no vulnerability, since no protections are bypassed.
Hyperlinked Excel Workbook Macro Bypass (CAN-2002-0617):
What's the scope of the second vulnerability?
This is an Excel macro execution vulnerability. An attacker who was able to successfully exploit this vulnerability could cause macros contained within an Excel workbook to execute outside of the constraints of the macro security settings.
An attacker could not automate an attack using this vulnerability: the user would have to be enticed into taking an action after opening the attacker's workbook. In addition, any constraints that limit the user's actions would also inhibit the attacker's macros.
What causes the vulnerability?
The vulnerability results because of a flaw in how Excel macros in a workbook are handled when that workbook is opened through a hyperlink that is associated with a drawing shape in another workbook.
When the destination workbook is opened, the Macro Security Model does not detect the presence of macros in the target workbook. As a result, any autoexecute macros in the destination workbook would run as soon as that workbook was opened, without any security constraints.
What are drawing shapes?
As noted above, Excel provides a number of different objects that can be inserted into workbooks. One particular type of object that Excel supports are drawing shapes. Drawing shapes are graphical objects such as circles, squares, rectangles, or freeform shapes that can be inserted into a workbook.
How do drawing shapes support hyperlinks?
In the same way that objects support macros as an assigned property, they also support hyperlinks. This means that a drawing shape can be made into a hyperlink that will take action when the shape is activated.
For example, suppose a user has created a circle on a page in a workbook and they want users to be able to bring up a web site's home page by clicking on that shape. The user can set the hyperlink property of the shape to the web page in question. When user then clicks on the shape, the hyperlink is invoked and the web page opened.
Because hyperlinks can point to any file type, hyperlinks can also be used to point to Excel workbooks. Using the example above, it's also possible to have a circle point to an Excel workbook. When the user would click on the shape with the hyperlink, the destination workbook would be opened.
What's wrong with how Excel handles workbooks that are opened through a hyperlink associated with a drawing shape?
In this particular sequence of events, Excel fails to properly invoke the Macro Security Model when the destination workbook is opened. As a result, the Macro Security Model is bypassed entirely allowing any autoexecute macros to run automatically, with no warning.
It's important to note that this flaw occurs only in conjunction with this sequence of events.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run macro code when the user thought that code would be blocked by the Macro Security Model.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating two workbooks, a source workbook and a destination workbook. The attacker would create a hyperlink on a shape in the source workbook that points to the destination workbook. In the destination workbook, the attacker could create an autoexecute macro. The attacker would then have to ensure that the destination workbook was accessible to the user in some way, by giving it to the user or posting on a network share or a web site.
The attacker would then have to send the source workbook to the intended victim and entice the victim to open the workbook, and click on the hyperlinked shape. As long as the destination workbook was accessible, the destination workbook would be opened, and the macro code would execute.
What does the patch do?
The patch eliminates the vulnerability by ensuring that the Macro Security Model is invoked when a workbook is opened through a hyperlink associated with a drawing shape.
Excel XSL Stylesheet Script Execution: (CAN-2002-0618):
What's the scope of the third vulnerability?
This vulnerability could enable an attacker to cause HTML scripts to execute as if they were run locally on the user's system. The scripts could take any action that the user was capable of, including adding, changing or deleting files or changing security settings.
An attacker seeking to exploit this vulnerability would have to convince the intended target to open a file. There is no way to mount an automated attack against this vulnerability; in all cases there is user interaction required to mount a successful attack.
Any limitations on a user's ability to make changes to the system would also limit the attacker's script. For example, if a user were prohibited from deleting information on the local system, the attacker's script would be similarly restricted.
What causes the vulnerability?
The vulnerability results because of a flaw in how XSL Stylesheets within Excel workbooks are handled under the Macros Security Model. The Macro Security Model fails to correctly detect the presence of HTML scripting when contained within an Excel workbook that contains an XSL stylesheet.
What is XSL?
XSL (eXtensible Stylesheet Language) is a language that provides a means to sort and manipulate XML data. It can be thought of as a query language for XML data. For example, suppose you have customer data in XML format that is ordered by last name and you want to sort it by customer ID. You would use XSL to define the sorting rule for this data.
What is an XSL stylesheet?
Where XSL is the language that is used for manipulating XML data, an XSL stylesheet is what actually contains the XSL. An XSL stylesheet therefore is a document that contains instructions in XSL. This file then can be "applied" by any application that supports XSL.
What is XML?
XML (Extensible Markup Language) is an industry-standard format for storing data that facilitates data transfer across the Internet. XML provides a common means for structuring data so that multiple applications can recognize it. Using the example above, XML can be used to structure customer data and meta-data so that any application that supports XML could correctly identify the structure of the data, such as the customer ID and last name, and the data itself.
What's wrong with how XSL stylesheets are handled within Excel?
There is a flaw in how the Macro Security Model handles script within XSL Stylesheets that are contained in an Excel workbook. Specifically, it fails to correctly detect the presence of script and block its execution.
What could this vulnerability enable an attacker to do?
This vulnerability could allow an attacker to run HTML scripts on the local system as if the user had elected to run them. This means that the script would run in the Local Computer zone. Since the Local Computer zone is intended for scripts run directly by the user, scripts run in this zone can take actions similar to those that a user can take directly. For example, a script in the local computer zone could add, change, or delete the same files that a user could.
Conversely, any restrictions on the user's ability to make changes to the local system would also limit that attacker's script. This means that if a user were prevented from changing a file due to permissions on the local file system, the attacker's script would be similarly prevented from making changes.
How could an attacker exploit this vulnerability?
An attacker would most likely seek to exploit this vulnerability by creating an Excel workbook that has an XSL stylesheet that contains HTML script within it. The attacker would have to entice the user to accept the file by either offering it for download or sending it as an attachment in email. When the user opened the file, a prompt would be raised asking if he wanted to apply the XSL stylesheet. The user would have to agree to apply the stylesheet by clicking "yes", which is not the default. At that point, the stylesheet would be applied and the attacker's script would run. Alternately, if the file were set to autorefresh its query, the XSL could be updated and the script run after the refresh.
Is there any way for an attacker to mount an automated attack using this vulnerability?
No. In all cases, attempts to exploit this vulnerability would require user interaction. There is no way for an attacker to automate an attack against this vulnerability.
What does the patch do?
The patch eliminates the vulnerability by ensuring that the Macros Security Model is applied when Excel opens workbooks that contains XSL stylesheets. The specific result of applying the patch will depend on the security setting of the Macro Security Model.
Variant of MS00-071, Word Mail Merge Vulnerability: (CAN-2002-0619)
What's the scope of the fourth vulnerability?
This vulnerability is a new variant of the "Word Mail Merge" vulnerability first discussed in Microsoft Security Bulletin MS00-071 This vulnerability could allow an attacker to run code on a user's system.
What is the "Word Mail Merge" Vulnerability?
In a nutshell, this is a vulnerability that could enable an attacker to run VBA Code in Access unexpectedly when the user opens a Mail Merge document in Word. In the case of this particular variant, however, the Mail Merge document needs to be saved in HTML format.
Where can I get more information on the "Word Mail Merge" vulnerability?
Microsoft Security Bulletin MS00-071 discusses this vulnerability in detail.
Are there any differences between this variant and the original issue?
Unlike the original issue, this variant requires that the Word document in question be saved in HTML format and that the document then be opened in Word.
In addition, the mitigating factors for this variant are different from the original issue. If the HTML document were opened in anything other than Word, the attempt to exploit the vulnerability would fail. In addition, a successful attack requires that Access be installed on the user's system. If Access is not installed, the attack would fail.
What causes the vulnerability?
The vulnerability results because the original fix for this issue fails to correctly differentiate a remote Access data source when the Word Mail Merge document is an HTML document. As a result, remote data sources are treated in an identical manner as local data sources.
If this variant requires that the Word document is in HTML format, can an attacker mount an automated attack from a web page or HTML email?
No. In all cases, the user must first choose to open the document using Word, either by acknowledging a file download dialogue box, or by choosing to open Word manually. There is no way for an attacker to levy an automated attack against this vulnerability.
How does the patch eliminate this vulnerability?
The patch eliminates the vulnerability by ensuring that Word correctly differentiates between remote and local data sources and handles them in a manner commensurate with their location.
Does this patch eliminate the original issue as well as the new one?
Yes. It eliminates all known variants.
Patch availability
Download locations for this patch
- Office Product Updates site:
- Microsoft Excel 2000 for Windows:
- Client Installation:
- Administrative Installation:
- Microsoft Excel 2002 for Windows:
- Client Installation:
- Administrative Installation:
- Microsoft Word 2002:
- Client Installation:
- Administrative Installation:
Additional information about this patch
Installation platforms:
This patch can be installed on systems running:
- Microsoft Office 2000 SR-1a or Service Pack 2
- Microsoft Office XP Service Pack 1
Inclusion in future service packs:
The fix for these issues will be included in any future service packs released for Office 2000 and Office XP.
Reboot needed: No
Superseded patches:
Verifying patch installation:
- Excel 2000 for Windows:
- Verify that the version number of excel.exe is 9.0.6508.
- Excel 2002 for Windows:
- Verify that the version number of excel.exe is 10.0.4109.0.
- Word 2002 for Windows:
- Verify that the version number of winword.exe is 10.0.4109.
Caveats:
None
Localization:
The patches provided above are appropriate for use on any language version.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
- Darryl Higa for reporting the Excel Inline Macros and Hyperlinked Excel Workbook Macro Bypass vulnerabilities.
- The dH team and SECURITY.NNOV team for reporting the variant of MS00-071.
Support:
- Microsoft Knowledge Base article Q324458 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (June 19, 2002): Bulletin Created.
- V1.1 (June 25, 2002): Bulletin corrected to reflect that Office 2000 patches can install on SR-1a.
- V1.2 (February 28, 2003): Updated download links to Windows Update.