Security Bulletin

Microsoft Security Bulletin MS02-059 - Moderate

Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008)

Published: October 16, 2002 | Updated: July 24, 2003

Version: 1.2

Originally posted: Oct 16, 2002

Updated: July 24th, 2003

Summary

Who should read this bulletin: Customers using Microsoft® Word or Microsoft® Excel.

Impact of vulnerability: Information Disclosure

Maximum Severity Rating: Moderate

Recommendation: Customers using Word or Excel should apply the patches.

Affected Software:

• Microsoft Word 2002

• Microsoft Word 2000

• Microsoft Word 97

• Microsoft Word 98(J)

• Microsoft Word X for Macintosh

• Microsoft Word 2001 for Macintosh

• Microsoft Word 98 for Macintosh

• Microsoft Excel 2002

General Information

Technical details

Technical description:

Word and Excel provide a mechanism through which data from one document can be inserted to and updated in another document. This mechanism, known as field codes in Word and external updates in Excel, can be automated to reduce the amount of manual effort required by a user. An example of the use of Word field codes could be the automatic insertion of a standard disclaimer paragraph in a legal document. An example of the use of external updates in Excel could be the automatic updating of a chart in one spreadsheet using data in a different spreadsheet.

A vulnerability exists because it is possible to maliciously use field codes and external updates to steal information from a user without the user being aware. Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring, however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user's local computer.

In order for an attacker to take advantage of this vulnerability, the attacker would need to perform the following steps:

• Craft a Word or Excel document that exploits the vulnerability
• Deliver it to the user, via email or some other method
• Entice the user to open the document
• Return the document to the attacker. (Microsoft is aware of one case in which it would not be necessary for the user to do this. There is one method through which the attacker's document could post information directly to a web site, but it would only allow the first line of the file to be sent)

Mitigating factors:

• The attacker would need to know the location of the file that he or she wanted to steal. If the correct filename were not presented, the attack would fail and an invalid field error message would be present in the document.
• The user could always view the field codes or external updates. The field codes or external updates used in the attack can be revealed, as they are only hidden to prevent cluttering the document when it is being viewed or edited. A method of checking documents for additional undesired information is described in the Frequently Asked Questions below.
• Although the attacker could take some steps to obscure the stolen information, the attacker would leave a clear audit trail. Since the field codes or external updates can be viewed, even if an attack is successful, the attacker would leave clear evidence in the document in the form of the stolen information and the malicious field codes used. This evidence could be used by law enforcement agencies if required
• The vulnerability would not enable the attacker to delete, modify or add any files to the user's local system.
• In virtually all circumstances, the attacker would need to entice the user into returning the document. No information would be revealed unless the user returned the document to the attacker.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2002-1143

Tested Versions:

Microsoft tested Word 2002, Word 2000, Word 98(J), Word 97, Word X for Macintosh, Word 2001 for Macintosh, Word 98 for Macintosh, Excel 2002, Excel 2000, Excel 97, Excel X for Macintosh, Excel 2001 for Macintosh and Excel 98 for Macintosh to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This vulnerability could enable an attacker to create a document that could be used to steal the contents of a document that another user has access to. Under virtually all circumstances it would not be possible for an attacker to exploit the vulnerability without the involvement of the user. In order for an attacker to take advantage of this vulnerability, the attacker would have to craft a malicious Word or Excel document, deliver to the user (via email or other means) and then entice the user to return the document. Even a successful attack would leave tell-tale evidence that could aid law enforcement in identifying the attacker.

What products does this affect?
The issue affects all versions of Word including when Word is used as the e-mail editor by Microsoft Outlook. Excel 2002 is also affected.

What causes the vulnerability?
By design, field codes and external updates can be used to insert data from other sources into Word documents and Excel spreadsheet. Normally the user is aware of these updates occurring. However a flaw in the way field codes and external updates is implemented could make it possible to craft a malicious field code or external updates that, when the document or spreadsheet is opened, will automatically update without the user being aware

What are field codes and external updates?
Field codes and external updates are ways of automating the insertion of data in a document. For example, field codes are often used in a Word document to insert the date or page number automatically. External updates in Excel are similar, and can be used for example to insert data from one Excel spreadsheet into another automatically. Field codes and external updates typically are hidden from view during normal document editing, so as not to clutter the user's view. However they can be revealed and inspected at any time, if necessary. Field codes and external links cannot be permanently hidden in a document to the extent that they cannot be revealed later.

What's wrong with the way Word field codes and Excel external updates are implemented?
By design, field codes and external updates can automatically insert and update information from external sources, including data files on the user's system. This is normally legitimate automation on the user's behalf. However, a flaw exists because this update behavior can be manipulated so that a hidden field code can carry out an update without the user being aware. This can be used to insert information from a user's document into the attacker's document, without the user being aware.

What could this vulnerability enable an attacker to do?
The vulnerability could enable the attacker to steal the contents of a user's document without the user being aware

How could an attacker exploit this vulnerability?
There are a number of steps an attacker would have to take in order to execute a successful attack:

• The attacker would have to craft a special Word or Excel document that contained specially crafted Word fields or Excel external updates. These field codes or external updates would need to reference the exact name and location of the file that the attacker wished to steal.
• The attacker would then have to deliver the document to the user via email or some other means, and convince the user to open it
• After closing the document, the user would need to return the document to the attacker. (There is one niche case, discussed below, in which this would not be necessary)

What's the case in which the user would not have to return the attacker's document?
There is one limited scenario where an attacker could use a field code to send data directly to a web site under the attacker's control. Although this scenario would eliminate the need for the user to return the attacker's document, it's subject to a significant drawback - it could only be used to obtain the first line from the user's file

How is Microsoft Outlook affected?
Microsoft Outlook itself is not affected. However, Outlook 2002 uses Word as its e-mail editor by default. Outlook 2000 and Outlook 97 can be configured to use Word as their e-mail editor. Microsoft Outlook for Macintosh does not use Word as its e-mail editor. If Word is being used as the Outlook e-mail editor, an e-mail message is treated as a document. The Word patch described in this bulletin corrects this issue whether Word is used separately or in conjunction with Outlook.

Could this vulnerability be used to forge a digitally signed document?
No, the signature would be invalidated as soon as the maliciously crafted document was opened. This would be evident from inspecting the digital signature. Microsoft Knowledge Base article Q329228 discusses how to verify a digital signature in an Office document.

Is there any way of seeing what an attacker might have stolen?
Yes there is. It is important to understand that the contents of the stolen document do not become invisible. The attacker may choose to obscure the contents of the stolen document, but the contents will still be visible if all field codes are revealed and the document is inspected. The stolen contents cannot be irreversibly hidden. Field codes and external updates can be exposed by selecting the following menu options:

• Word 2002, 2000, 97, 98(J): Tools|Options|View then selecting the "Field Codes" box.
• Word X, 2001 for Macintosh: Edit|Preferences|View then selecting the "Field Codes" box.
• Word 98 for Macintosh: Tools|Preferences|View then selecting the "Field Codes" box.
• Excel 2002: Tools|Options|View|Formulas

This evidence, which will always be present, could be used if necessary to pursue disciplinary or legal action against an attacker.

How can I remove any additional data that is present in a Word or Excel document?
Microsoft Knowledge Base article Q223396 discusses how to check for and remove additional data from Office documents.

Can I read my e-mail in Outlook using plain text?
This capability was introduced in Office XP SP1. Microsoft Knowledge Base article Q307594 describes how to do this.

What do the patches do?
The Word patch changes the default behavior in Word to prevent those fields that insert data from sources external to the current document, from updating automatically, without direct user interaction to force such an update for those fields. This puts the user in control of whether the update is allowed to proceed. The Excel 2002 patch prompts the user in the one situation where Excel 2002 will not request the user's permission to refresh external updates.

I'm a network administrator and I'd like to deploy the patch to my users, rather than requiring them each to visit the OfficeUpdate site. Is there a way to do this?
I'm a network administrator and I'd like to deploy the patch to my users, rather than requiring them each to visit the OfficeUpdate site. Is there a way to do this? Yes. An administrative update is available that will let you do this. To download the administrative update, just visit the download location for the appropriate version of Word and Excel. Links to the administrative update are provided on the download pages.

Patch availability

Download locations for this patch

• Microsoft Word 2002:

  https://www.microsoft.com/download/details.aspx?FamilyID=6BDB7B4C-B6D8-4554-B28C-C4A5969FDD4F&displaylang;=EN

  https://www.microsoft.com/office/ork/xp/journ/Wrd1005a.htm (administrative update only)

• Microsoft Word 2000:

  https://www.microsoft.com/download/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE&displaylang;=EN

• Word 97/Word 98(J):

  Information on receiving Word 97 & Word 98(J) support is available at: https://support.microsoft.com/default.aspx?scid=kb;EN-US;Q330080

• Word X for Macintosh:

  https:

• Word 2001 for Macintosh:

  </https:>https:

• Word 98 for Macintosh:

  </https:>https:

• Excel 2002:

  https://www.microsoft.com/download/details.aspx?FamilyID=09708964-A8D6-4F4E-9D82-280E08F36E8A&displaylang;=EN

  https://www.microsoft.com/office/ork/xp/journ/Exc1003a.htm (administrative update only)

Additional information about this patch

Installation platforms:

• The Word 2002 patch can be installed on systems running Word 2002 with Office XP Service Pack 2. (The administrative update can be installed on systems running Office 2002 Service Pack 1 as well).
• The Word 2000 patch can be installed on systems running Word 2000 with Office 2000 Service Release 1 or Service Pack 2
• The Word 98(J) patch can be installed on systems running Microsoft Word 98(J) Gold or any Word 98(J) service release, but is only supported on Word 98(J) Service Release 2b
• The Word 97 patch can be installed on systems running Microsoft Word 97 Gold or any Word 97 service release, but is only supported on Word 97 Service Release 2b
• The Word X for Macintosh patch can be installed on systems running the latest version of Office v.X. To determine the latest version of Office, look at </https:>https:
• The Word 2001 for Macintosh patch can be installed on systems running the latest version of Office 2001. To determine the latest version of Office, look at </https:>https:
• The Word 98 for Macintosh patch can be installed on systems running the latest version of Office 98. To determine the latest version of Office, look at </https:>https:
• The Excel 2002 patch can be installed on systems running Excel 2002 with Office XP Service Pack 2. (The administrative update can be installed on systems running Office 2002 Service Pack 1 as well).

Inclusion in future service packs:

The fix for this issue will be included in any future service packs for the affected products.

Reboot needed: No

Patch can be uninstalled: No

Superseded patches: None.

Verifying patch installation:

• Word 2002: Verify that the version number of Winword.exe is 10.0.4524.0
• Word 2000: Verify that the version number of Winword.exe is 9.00.00.6926
• Word 97/Word 98(J): Information on checking Word 97/Word 98(J) is available at: https://support.microsoft.com/default.aspx?scid=kb;EN-US;Q330080
• Word X for Macintosh: Information on checking Word X for Macintosh is available at: </https:>https:
• Word 2001 for Macintosh: Information on checking Word 2001 for Macintosh is available at: </https:>https:
• Word 98 for Macintosh: Information on checking Word 98 for Macintosh is available at: </https:>https:
• Excel 2002: Verify that the version number of Excel.exe is 10.0.4524.0

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Support:

• Microsoft Knowledge Base article Q330008 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (October 16, 2002): Bulletin Created.
• V1.1 (October 17, 2002): Updated to clarify that the Word 2002 patch can be applied to systems running Word 2002 Service Pack 1 using the administrative update.
• V1.2 {July 24, 2003): Updated Mac download links.

Built at 2014-04-18T13:49:36Z-07:00 </https:>