Microsoft Security Bulletin MS02-002 - Low
Malformed Network Request can cause Office v. X for Mac to Fail
Published: February 06, 2002 | Updated: May 09, 2003
Originally posted: February 06, 2002
Updated: May 09, 2003
Who should read this bulletin:
Users of: Microsoft® Office v. X for Mac
Impact of vulnerability:
Denial of Service
Maximum Severity Rating:
Users of Office v. X should consider applying the patch.
- Microsoft Office v. X
Office v. X contains a network-aware anti-piracy mechanism that detects multiple copies of Office using the same product identifier (PID) running on the local network. This feature, called the Network Product Identification (PID) Checker, announces Office's own unique product ID and listens for other announcements at regular intervals. If a duplicate PID is detected, Office shuts down.
A security vulnerability results because of a flaw in the Network PID Checker. Specifically, the Network PID Checker doesn't correctly handle a particular type of malformed announcement - receiving one causes the Network PID Checker to fail. When the Network PID fails like this, the Office v. X application will fail as well. If more than one Office v. X application was running when the packet was received, the first application launched during the session would fail. An attacker could use this vulnerability to cause other users' Office applications to fail, with the loss of any unsaved data. An attacker could craft and send this packet to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines
- Corporate networks could be protected against Internet-based attacks by following standard firewalling practices (specifically, blocking ports 2222, those greater than 3000 traffic).
- Best practices recommends blocking both multicast and broadcast packets at the perimeter firewall.
- At best, an attacker could cause the running Office application that was loaded first to fail. There is no opportunity for an attacker to create, delete, or modify Office data.
- Even a successful attack wouldn't have any effect on the overall system, other applications or any Office application beyond the first one loaded.
|Internet Servers||Intranet Servers||Client Systems|
|Microsoft Office v. X||None||None||Low|
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. This is a denial of service vulnerability, but has several mitigating factors can only one running application.
Vulnerability identifier: CAN-2002-0021
Microsoft tested Microsoft Office X for Mac OS X, Microsoft Office 98 for Macintosh and Office 2001 for Macintosh to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.
What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user could use it to cause a running Office X application to fail, forcing the user to restart the application. Any unsaved data when the application crashed would be lost.
An attack would not affect the stability of the underlying operating system, nor allow an attacker to alter or delete data. Also, a successful attach could only cause one application to fail on a machine: specifically, the first Office v. X application loaded of those running when the attack occurs. All other Office v. X applications would continue to function normally.
What causes the vulnerability?
The vulnerability results because the network PID checking feature fails to handle exceptional circumstances properly.
What is Network PID Checking?
Each legally purchased and installed copy of Microsoft software has a unique Product Identifier (PID). This Identifier can be seen in most applications by going to "Help" "About". The unique PID is listed there.
Network Product Identification Checking is an anti-piracy feature new to Office X for OS X. When an Office X application starts, it announces its PID on the local network at regular intervals. It also listens on the local network for new PID announcements. If at any point, an installation of Office X detects a copy of its own PID, Office shuts down on both systems.
What's wrong with Network PID Checking?
There is an implementation flaw in the Network PID Checking feature. The Network PID checking fails to handle specially malformed network requests properly. When these circumstances occur or a specially malformed request is received, Office X does not handle the condition gracefully and fails.
How could an attacker exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by sending a specially crafted network packet one of two ways: they could attempt to send the packet directly to a single user's machine; or, they could attempt to send this packet to all the computers on a subnet by specifying a broadcast address.
How would an attack directed at a single user work?
To attack a single user's machine, the attacker would send the specially malformed packet to the user's IP address. The advantage of this type of attack is that he could mount an attack on any machine they could deliver an IP packet to. This would allow an attacker to potentially mount attacks over great distances.
However, to succeed, the attacker would need to know the IP address of the intended victim. In most cases, IP addresses are assigned by Dynamic Host Configuration Protocol (DHCP) and so a single machines IP address can change.
Also, a directed attack like this would have to use the destination ports that the Network PID Checker uses: 2222 and those greater than 3000. Most corporations block inbound traffic on high ports such as these as a best practice.
How would an attack directed at a broadcast or multicast address work?
To attack many users on a subnet, the attacker would send the specially malformed packet to that network's broadcast or multicast address. The advantage to this type of attack is that the attacker could deliver their malicious packet to all computers on a subnet, potentially causing many users' Office application to fail.
The disadvantage to this attack method is that most routers and firewalls do not forward multicast or broadcast packets. As a result, an attacker would most likely only be able to disrupt Office applications on a single network segment.
What could an attacker do via this vulnerability?
An attacker could cause the Office X applications on the victims machine to fail, forcing the user to restart. While any unsaved data would be lost, there would be no opportunity for the attacker to alter data. Additionally, an attacker could not run programs or destabilize the operating system in any way.
If several Office X applications were running when an attack was launched, would all of them fail?
No. Only the first application that a user had loaded would fail. Any other applications that were running at the time would continue to run normally. For example, if a user had starting Word and Excel in that order, and then received the malformed packet, Word would fail, but Excel would continue to function. The user could then restart Word, and continue working.
Is it possible for these circumstances or packets to occur by accident?
No In nearly every case, the network traffic or packets would have to be hand-crafted by a user with malicious intent.
I'm running Office on a PC. Could I be affected?
No. The network PID checking feature discussed is only available in Office v. X
I'm using Mac OS X, but I'm using a version of Office other than Office v. X. Could I be affected?
No. The network PID checking feature discussed is only available in Office v. X.
What does the patch do?
The patch eliminates the vulnerability by allowing the Network PID checker to operate successfully under exceptional circumstances and to discard malformed packets.
Download locations for this patch
- Microsoft Office v. X:
Additional information about this patch
This patch can be installed on systems running Microsoft Office v. X for Mac Gold
Superseded patches: None.
Verifying patch installation:
- Inside the Microsoft Office X:Office folder, select:
- Microsoft Component Plugin
- Select the file in the Finder, From the File menu, choose "Show Info", and verify that the version shown is "10.0.2 (1412)" for each.
Localized versions of this patch are available at the Macintosh download site referenced above.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q317879 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 06, 2002): Bulletin Created.
- V1.1 (May 09, 2003): Updated download links to Windows Update.
Built at 2014-04-18T13:49:36Z-07:00