Microsoft Security Bulletin MS01-028 - Critical
RTF document linked to template can run macros without warning
Published: May 21, 2001 | Updated: July 24, 2003
Originally posted: May 21, 2001
Updated: July 24, 2003
Who should read this bulletin:
Customers using Microsoft® Word for Windows or Microsoft Word for the Mac
Impact of vulnerability:
Run macros without warning
Customers using affected versions of Word should apply the patch immediately.
- Microsoft Word 97
- Microsoft Word 2000
- Microsoft Word 98 (J)
- Microsoft Word 98 for the Mac
- Microsoft Word 2001 for the Mac
Note: Microsoft Word 2002 is not affected by this vulnerability.
Word, like other members of the Office product family, provides a security mechanism that requires user's approval to run macros. By design, anytime a document is opened the user would be notified if the document contains macros. In addition, this mechanism checks secondary documents that the original document links to, such as templates, and warn if any of those contain macros. This feature works by scanning the document or template for the presence of macros, alerting the user of their presence, and then asking the user if he wants to allow the macros to run.
By embedding a macro in a template, and providing another user with an RTF document that links to it, an attacker could cause a macro to run automatically when the RTF document was opened. The macro would be able to take any action that the user herself could take. This could include disabling the user's Word security settings so that subsequently-opened Word documents would no longer be checked for macros.
- The vulnerability only affects Word. Other Office products are not affected.
- The vulnerability does not occur when opening Word documents, only when opening RTF documents, and even then only when the RTF document is linked to a template.
Vulnerability identifier: CAN-2001-0240
Microsoft tested Word 2000, Word 97, Word 98 (J), and Word 98/Word 2001 for the Mac to assess whether they are affected by this vulnerability. Microsoft Word 2002 will not be affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.
What's the scope of the vulnerability?
This vulnerability could enable an attacker to create a document that, when opened in Word, would run a macro without asking for the user's permission. Macros are able to take any action the user is capable of taking, and as a result this vulnerability could give an attacker an opportunity to take actions such as changing data, communicating with web sites, reformatting the hard drive or changing the Word security settings.
The vulnerability only affects Word - other members of the Office product family are not affected - and only when Rich Text Format documents are open. The vulnerability does not exist when opening Word documents. The vulnerability is not present in Word 2002, the version that ships as part of Office XP.
What causes the vulnerability?
The vulnerability results because, when opening a Rich Text Format document that is linked to a Word template, Word doesn't check the template for embedded macros.
What's Rich Text Format?
Rich Text Format (RTF) is a specification for encoding formatted text and graphics. The principal benefit of RTF is that it's supported by a number of word processors on a number of different platforms. For instance, if Joe uses Word on a PC to create RTF files, he could share them with Jane, who uses an entirely different word processor on a Macintosh. All versions of Word dating back to Word 1.0 natively support RTF.
Word can open and process RTF documents, and Word documents can be saved in RTF if desired. However, there is a security vulnerability involving the way Word opens such files, and this could allow macros to run without the user's permission.
What's a macro?
In general, the term macro refers to a small program that automates commonly performed tasks within an operating system or an application. For instance, all members of the Office family of products support the use of macros. This allows, for instance, companies to develop macros that perform sophisticated productivity tools running within Word, Excel, or other programs. Like any computer program, though, macros can be misused. In particular, because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the user wants them to. In this case, however, there is a flaw in the security model, which can occur when opening an RTF document that is linked to a template containing a macro.
What's a template?
A template can be thought of as a skeleton document. For instance, a template of a research paper might define the needed styles, include pre-built headers and footers, and include any required boilerplate text. When a user needs to create a new research paper, she could use the template as a foundation upon which to develop her actual paper. Examples of templates can be found in the Microsoft Office Template Gallery.
Like other documents, templates can contain macros. When Word is used to open a document that's based on a template, both the document and the template should be checked for macros. The vulnerability involves a case in which this isn't done correctly.
What's the vulnerability?
In the case where Word is used to open an RTF file, and the file contains a link to a template, only the RTF file is checked for macros. The template, which might also contain macros, is not checked.
What could this enable an attacker to do?
An attacker could use this vulnerability to bypass the normal Word security model. Specifically, if he created a template containing a macro, based on an RTF file on the template, and was able to persuade another user to open the RTF file, the macro in the template would run without asking the user's permission.
What could the macro do?
The macro would be able to take any action that the user herself could take on her machine. This would include adding, changing or deleting files, communicating with a web site, reformatting the hard drive, and so forth.
It's worth noting that a macro also could change the user's security setting. This could include disabling macro protection. As a result, if the user were attacked via this vulnerability, one of the outcomes could be that the user's security settings would be reduced, and other macros that normally would be stopped by Word would now be able to run.
How would the attacker deliver the document to the other user?
The attacker would have a variety of options. He could host it on a web site or, if he had sufficient access, save it on a share. Likewise, he could target a particular user by sending it to her via e-mail or passing it to her on a floppy disk.
If the attacker sent the RTF file to the other user, would he need to send the template with it?
Not necessarily. RTF and Word files don't have to be collocated with their associated templates. Instead, the template can reside on a remote location, and the document can link to it via a web (HTTP) connection. Thus, an attacker could create an RTF file that would link back to a template on his web site, thereby avoiding the need to send both the RTF file and the template to the user.
Suppose the user opened an RTF file, and then saved it as a Word file. If another user later opened the Word file, could it exploit the vulnerability?
No. The security settings work correctly when opening a Word document, even one that's linked to a template.
Does the vulnerability affect any Office products other than Word?
No. Word is the only Office product that can open RTF files, and as a result is the only Office product affected by the vulnerability.
Is Office XP affected by this vulnerability?
The soon to be released version of Word 2002 (the version of Word included in Office XP) is not affected by the vulnerability.
What does the patch do?
The patch eliminates the vulnerability by causing the correct macro checking to be performed even when opening an RTF file linked to a Word template.
Download locations for this patch
- Microsoft Word 2000:
- Microsoft Word 97:
- Microsoft Word 98 (J) for Windows:
Patch will be available shortly
- Microsoft Word 98 for the Mac:
- Microsoft Word 2001 for the Mac:
Additional information about this patch
Patches should be applied for the specific Word version listed in the patch availability section.
This patch supersedes Microsoft Security Bulletin MS99-002.
Verifying patch installation:
- Please verify using the following methods:
- For Word 2000: Check the file version of Winword.exe -- it should be version 9.00.00.5302.
- For Word 97: Check "Help, About" for (QFE 8909).
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q288266 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (May 21, 2001): Bulletin Created.
- V1.1 (June 6, 2001): Update Mac patch availability.
- V1.2 (February 28, 2003): Updated link to Word98 Macro Download
- V1.3 (June 23, 2003): Updated Windows Update download links.
- V1.4 (July 24, 2003): Updated Mac download links.
Built at 2014-04-18T13:49:36Z-07:00