• Article

Security Bulletin

Microsoft Security Bulletin MS01-050 - Critical

Malformed Excel or PowerPoint Document Can Bypass Macro Security

Published: October 04, 2001 | Updated: July 24, 2003

Version: 1.3

Originally posted: October 04, 2001
Updated: July 24, 2003

Summary

Who should read this bulletin:
Customers using Microsoft® Excel or PowerPoint for Windows® or Macintosh®

Impact of vulnerability:
Run code of attacker's choice.

Recommendation:
Customers using affected versions of Excel and/or PowerPoint should apply the patch immediately.

Affected Software: Microsoft Excel 2000 for Windows

  • Microsoft Excel 2002 for Windows
  • Microsoft Excel 98 for Macintosh
  • Microsoft Excel 2001 for Macintosh
  • Microsoft PowerPoint 2000 for Windows
  • Microsoft PowerPoint 2002 for Windows
  • Microsoft PowerPoint 98 for Macintosh
  • Microsoft PowerPoint 2001 for Macintosh

General Information

Technical details

Technical description:

Excel and PowerPoint have a macro security framework that controls the execution of macros and prevents macros from running automatically. Under this framework, any time a user opens a document the document is scanned for the presence of macros. If a document contains macros, the user is notified and asked if he wants to run the macros or the macros are disabled entirely, depending on the security setting. A flaw exists in the way macros are detected that can allow a malicious user to bypass macro checking.

A malicious attacker could attempt to exploit this vulnerability by crafting a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it. The attacker could carry out this attack by hosting the malicious file on a web site, a file share, or by sending it through email.

Mitigating factors:

  • The macro code could not execute without the user's first opening the document.

Vulnerability identifier: CAN-2001-0718

Tested Versions:

Microsoft tested the following products to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

  • Office 98 for Macintosh
  • Office 2001 for Macintosh
  • Office 2000 for Windows
  • Office 2002 for Windows

Frequently asked questions

What's the scope of the vulnerability?
This vulnerability could enable a malicious user to create specially formed Excel or PowerPoint files that would bypass macro security and execute automatically when the document is opened. Because macros by design can take any action that the user is able to take, this vulnerability could allow an attacker to take actions such as changing or deleting data, communicating with web sites, or changing the macro security settings. This would not be able to take any actions that the user is not normally capable of. As such, access controls that limit the user's abilities would also limit the ability of the malicious documents. Further, a successful attack would require that the user open the malicious document. Best practices recommend that users not open documents from unknown or untrusted sources.

What causes the vulnerability?
The vulnerability results because the macro detecting framework can fail to detect all instances in which the macro processor can execute macro commands. When a valid document is intentionally designed to obfuscate the presence of macros, it is still possible for those marcos to execute.

What are macros?
Macros are small programs within applications such as Excel and PowerPoint. When macros run, they can take actions within the application or the operating system as if they were the user. An example of a simple action a macro might take in an application would be to find and replace text within a document. A more sophisticated macro might include features that perform automatic formatting on a document, copy files from the local system to the network, and send review copies by email. Because macros are really small programs, it is possible for attackers to create malicious macros that take undesirable actions, such as deleting files, sending unwanted messages by email, or changing the data in documents. To help protect against malicious macros, Excel and PowerPoint have a security model that prevent macros from executing without warning.

What's wrong with the macro protection in Excel and PowerPoint?
It is possible for a malicious user to create a specially malformed Excel or PowerPoint document that would bypass the macro protections and allow macros to execute automatically.

Is it possible to create a document like this by accident?
No. It is not possible to create a document that bypasses macro protection by accident. It would require very specific, detailed knowledge and such a document would have to be specifically constructed with malicious intent.

What could an attacker use this vulnerability to do?
This could allow an attacker to craft a malicious document with macro code that would run automatically when the user opened the document.

What actions could the malicious document take?
Because macros take action on behalf of the user, a macro virus that ran would be able to take actions that the user himself is able to take, including changing or deleting files, sending data to external web sites, or reformatting the hard drive. It's important to highlight that this means that it is possible for a macro virus to reset the user's security settings. A successful macro virus attack could leave a system vulnerable to future attack by disabling the security settings.

How would an attacker carry out an attack against this vulnerability?
An attacker could carry out an attack by several different routes. She could host a malicious document on a web site internally or on the Internet. She could place a malicious document on any file server to which she had appropriate permissions. Additionally, she could target specific individuals by sending a copy through email. It's important to note that all attempts to carry out an attack require the potential victim to open the document. It is not possible to exploit this vulnerability without the user's action. Opening documents only from known, trusted sources will help to protect against an attempt to maliciously exploit this vulnerability.

What does the patch do?
The patch eliminates the vulnerability by improving the code which detects the presence of macros in these document types.

Who should apply the patch?
Anyone using or administering systems running the affected software versions should apply the patch

I'm running Excel 97 and/or PowerPoint 97, does this issue affect me?
First, it's important to understand that Excel and PowerPoint 97 do not have the same macro security framework as Excel and PowerPoint 2000 and 2002. The Excel and PowerPoint 97 macro security framework lacks many key features that the 2000 and 2002 macro security framework has, including a digital signature trust model that allows trusted, signed macros to be differentiated from untrusted, unsigned macros. Under this older framework, it is difficult for a user to make an informed decision regarding the trustworthiness of macros. In addition, as noted under "Tested Versions", Excel and PowerPoint 97 are no longer supported products. Because of these two issues, customers who are concerned about macro security are urged to upgrade to a support version with a more robust macro security model.

Are other members of the Office Suite vulnerable?
No. All members of the Office Suites for Windows and Macintosh were tested. No other products in the Office Suite were found to be vulnerable.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

These patches can be installed on systems running Excel or PowerPoint 2000 SR-1 or SP2 for Windows and systems running Excel or PowerPoint 98 or 2001 for Macintosh.

Inclusion in future service packs:

The fix for this issue will be included in Office XP Service Pack 1.

**Reboot needed:**No

Superseded patches: None.

Verifying patch installation:

  • Microsoft Excel 2000 for Windows:
    Verify that the version number of excel.exe is 9.0.0.5519

  • Microsoft Excel 2002 for Windows:
    Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 10.3207.2625.

  • Microsoft PowerPoint 2000 for Windows:
    Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 9.0.5519.

  • Microsoft PowerPoint 2002 for Windows:
    Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 10.3207.2625.

  • Microsoft Excel and PowerPoint 98 for Macintosh:
    Select the file in the Finder, From the File menu, choose "Get Info", and verify that the version shown is 9.0.1 (3618).

  • Microsoft Excel and PowerPoint 2001 for Macintosh:
    Select the file in the Finder, From the File menu, choose "Get Info", and verify that the description shown is "2001 Security Update".

Caveats:

None

Localization:

The patches provided above are appropriate for use on any language version

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Peter Ferrie of Symantec Security Response (https://securityresponse.symantec.com) for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base articles Q306603, Q306604, Q306605, Q306606 discuss href="https://support.microsoft.com/directory/question.asp?sd=gn&fr;=0">Microsoft these issues and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from . There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (October 04, 2001): Bulletin Created
  • V1.1 (October 09, 2001): Updated to correct verification information and localization information.
  • V1.2 (June 13, 2003): Updated download links to Windows Update.
  • V1.3 (July 24, 2003): Updated Mac download links

Built at 2014-04-18T13:49:36Z-07:00</https:>