Microsoft Security Bulletin MS00-071 - Critical
Patch Available for 'Word Mail Merge' Vulnerability
Published: October 05, 2000 | Updated: February 28, 2003
Originally posted: October 5, 2000
Updated: February 28, 2003
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Word 2000 and 97. The vulnerability could allow a malicious user to run arbitrary code on a victim's computer without their approval.
- Microsoft Word 2000
- Microsoft Word 97
Vulnerability Identifier: CVE-2000-0788
If an Access database is specified as a data source via DDE in a Word mail merge document, macro code can run without the user's approval when the user opens that document.
If a user could be enticed into opening a specially constructed mail merge Word document, which was provided either as an e-mail attachment or as a link hosted on a hostile web site, it would be possible to cause arbitrary code to run on the user's machine. For such an attack to succeed, the victim would also need the ability to reach the Access database via a UNC share or file:// protocol. If the user is behind a firewall and security best practices have been followed, the ports required to access the database would be blocked.
What's this bulletin about?
Microsoft Security Bulletin MS00-071 announces the availability of a patch that eliminates a vulnerability in Microsoft® Word 97 and 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could allow a malicious user to execute code on a user's machine without the user's authorization. In order to exploit this vulnerability, the malicious user would need to entice the user to either open a Word file attachment in a malicious e-mail message or to visit a malicious web site that referenced a malicious Word file through html. The Word document would refer in turn to an Access database used as a mail merge data source, and the code would be executed when the Access database was opened.
A user could only be attacked if they had the ability to open the Access data source specified by the malicious user. In other words, if the malicious Access file were referenced as a UNC path, the user would need to have the ability to reach that file. If a customer's computer were behind a firewall and security best practices had been followed, access to UNC paths hosted on the Internet would normally be blocked.
What causes the vulnerability?
By design there is no macro protection mechanism when opening an Access database. If Access is specified as a data source for a Word mail merge document, then VBA code contained within the Access database will be launched when the Word document is opened.
What is VBA?
Microsoft Visual Basic for Applications (VBA) is the development environment and macro language that is included as part of Microsoft Office. It lets customers automate a wide variety of tasks within any Office application. The vulnerability at issue here could allow VBA code contained in an Access database to be executed without the user's knowledge when the user opened a Word mail merge document.
What's the mail merge function in Word?
Mail merge is a feature that provides the ability to easily construct form letters, mailing lists, and catalogs within Microsoft Word. Normally it is used in conjunction with a database application or other external data management tool that allows the user to "merge" a document containing addresses or other personalized information into a Word mail merge document.
What's wrong with the mail merge functionality in Word?
The vulnerability does not result from the mail merge function as such, but from the interaction of the Word mail merge function and the Access database that can be used as a data source, via DDE. While Word will warn a user before executing VBA code contained in a Word document, a malicious user could avoid the warning by creating a Word mail merge document that used an Access database as a data source, and then inserting VBA code in the Access database.
In the case of a Word file being opened from Internet Explorer, the Office Document Open Confirmation Tool will prompt the user before opening the Word file from within IE.
What would this vulnerability let a malicious user do?
The vulnerability could allow a malicious user to execute code on a user's machine without the user's approval. In order to exploit this vulnerability, the malicious user would need to entice the user to either open a Word file attachment in a malicious e-mail message or to visit a malicious web site that referenced the malicious Word file.
If the VBA code contained within the Access database attempted to function as a virus such as the ILOVEYOU virus, the Outlook E-mail Security Update could prevent virus from propagating via E-mail.
Would the malicious Word or Access file need to be located on my local machine?
No. The malicious user could either send an e-mail attachment with the offending Word file or create a link to a malicious web site that included an html reference to the Word file. The Word file could be located on the malicious user's web site.
How would a malicious user exploit this vulnerability?
The most likely scenario (if it were to take place) would involve a malicious user sending a Word document as an attachment in e-mail or sending an html link through mail, referencing the Word file on their malicious web site. The Word file would in turn reference the Access database as a mail merge data source.
In the both scenarios above, the user would be taking action on an un-trusted file or link from an un-trusted source. Users should be careful in opening attachments or referencing links from unknown sources.
If I'm behind a firewall, would that prevent an attack from succeeding?
If a user is protected by a firewall, where best security practices have been followed and inbound and outbound traffic has been blocked on ports 135-139 and 445, a malicious Access database hosted on the Internet can not exploit this vulnerability. The Access database will not be retrieved when it is specified as a mail merge data source through the file:\\ or UNC naming conventions.
Where can I get information on Ports 135-139, and 445 referenced above?
http://www.iana.org/assignments/port-numbers provides more information on the use of the port numbers listed above. Briefly Ports 135-139 and 445 are the netbios ports used for accessing files on a Windows network.
Could this vulnerability be exploited accidentally?
No. The vulnerability could not be exploited accidentally. An attack based on this vulnerability could be targeted at a specific user if the user could be enticed (via social engineering) to open a Word document. The Word document would in turn have to use a malicious Access database as a mail merge data source.
What machines are at greatest risk from this vulnerability?
Any computer that has Microsoft Word and Access installed and is connected to a network can be affected by this vulnerability. However, the risk from a malicious Word file is greater if users are directly connected to the Internet. Macintosh Word users are not affected by this vulnerability since Access is not an application that is supported on the Macintosh.
It seems that Access is the cause of the problem, why did you fix Word?
The vulnerability results from the fact that an executable object (the Access database with embedded VBA code) could be launched from a Word document without warning to the user. The patch makes Word's handling of Access as an executable document consistent with Word's handling of other executable types.
Who should use the patch?
Microsoft recommends that all users of the affected versions of Microsoft Word consider installing this patch.
What does the patch do?
The patch enforces zone checking of the Access mail merge data source within the Word file. A dialog will appear notifying the user that the mail merge data source is unavailable if the file is detected to be in the Internet or Restricted sites zone.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How can I tell if I installed the patch correctly?
Microsoft Knowledge Base articles Q274226 (Word 2000) and Q272749 (Word 97) provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft Knowledge Base articles Q274226 (Word 2000) and Q272749 (Word 97) discusses this issue in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Microsoft Word 2000:
- Microsoft Word 97:
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base article Q274226 (Word 2000)
- Microsoft Knowledge Base article Q272749 (Word 97)
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (October 5, 2000): Bulletin Created.
- V1.1 (February 28, 2003): Updated download links
Built at 2014-04-18T13:49:36Z-07:00