Published:
22 August 2002
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.453 -- Microsoft Security Bulletin MS02-044
Unsafe Functions in Office Web Components (Q328130)
22 August 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Office Web Components 2000
Office Web Components 2002
Vendor: Microsoft
Impact: Execute Arbitrary Code/Commands
Access Required: Remote
Comment: Products which include the affected software:
Microsoft BackOffice Server 2000
Microsoft BizTalk Server 2000
Microsoft BizTalk Server 2002
Microsoft Commerce Server 2000
Microsoft Commerce Server 2002
Microsoft Internet Security and Acceleration Server 2000
Microsoft Money 2002
Microsoft Money 2003
Microsoft Office 2000
Microsoft Office XP
Microsoft Project 2002
Microsoft Project Server 2002
Microsoft Small Business Server 2000
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Unsafe Functions in Office Web Components (Q328130)
Date: 21 August 2002
Software: Office Web Components, Office, BackOffice Server,
BizTalk Server, Commerce Server, ISA Server, Money,
Microsoft Project, Microsoft Project Server
Small Business Server
Impact: Three vulnerabilities, the most serious of which could
allow an attacker to run commands on the user's system.
Max Risk: Critical
Bulletin: MS02-044
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-044.asp.
- - ----------------------------------------------------------------------
Issue:
======
The Office Web Components (OWC) contain several ActiveX controls
that give users limited functionality of Microsoft Office in a web
browser without requiring that the user install the full
Microsoft Office application. This allows users to utilize
Microsoft Office applications in situations where installation
of the full application is infeasible or undesirable.
The control contains three security vulnerabilities, each of
which could be exploited either via a web site or an HTML mail.
The vulnerabilities result because of implementation errors
in the following methods and functions the controls expose:
- Host(). This function, by design, provides the caller with
access to applications' object models on the user's system.
By using the Host() function, an attacker could, for instance,
open an Office application on the user's system and invoke
commands there that would execute operating system commands
as the user.
- LoadText(). This method allows a web page to load text into a
browser window. The method does check that the source of the
text is in the same domain as the window, and in theory should
restrict the page to only loading text that it hosts itself.
However, it is possible to circumvent this restriction by
specifying a text source located within the web page's domain,
and then setting up a server-side redirect of that text to a
file on the user's system. This would provide an attacker with
a way to read any desired file on the user's system.
- Copy()/Paste(). These methods allow text to be copied and pasted.
A security vulnerability results because the method does not
respect the "disallow paste via script" security setting in IE.
Thus, even if this setting had been selected, a web page could
continue to access the copy buffer, and read any text that the
user had copied or cut from within other applications.
The patch does not set "kill bit" on the control, for reasons
discussed in the FAQ.
Mitigating Factors:
====================
Overall:
- In the case of the web-based attack, an attacker would need
to force a user to visit the attacker's Web site. Users who
exercise caution in visiting web sites could minimize their
risk.
- In the web based attack, If ActiveX controls have been
disabled in the zone in which the page were viewed, the
vulnerability could not be exploited. Users who place
untrusted sites in the Restricted Sites zone, which disables
ActiveX by default, or have disabled ActiveX controls in the
Internet zone could minimize their risk.
- In the case of HTML email based attacks, customers who read
email in the Restricted Sites zone would be protected against
attempts to exploit this vulnerability. Customers using
Outlook 2002 and Outlook Express 6.0, as well as
Outlook 2000 and Outlook 98 customers who have applied the
Outlook Email Security Update would thus be protected by
default. Also, Outlook Express 5.0 customers who have chosen
to read mail in the Restricted Sites zone would be protected
by default.
- In the HTML email based attack, Outlook 2002 customers who
have enabled the "Read as Plain Text" option available in
SP1 or later would also be protected.
Host() Vulnerability:
- The attacker's code would be limited by restrictions on the
user's account. Users of non-privileged accounts would limit
the potential damage from a successful attack.
LoadText():
- The attacker would need to know the full path and name of the
file. In addition the file would have to be viewable in a
web browser.
Copy()/Paste():
- The vulnerability could enable an attacker to access only to
information in the Windows clipboard. The information in the
clipboard is unpredictable and this vulnerability gives no
means for an attacker to target and retrieve specific
information. Further, it is possible for the clipboard to
be empty, which would yield an attacker nothing.
- The security setting in question is not enabled by default.
Thus, the vulnerability does not present a threat to the
default installation.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-044.asp
for information on obtaining this patch.
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPWQCJY0ZSRQxA/UrAQFpQgf/b6ZAeKBalHWcYe23OwlytG8EyV61G5WM
alse7ecupinAyF7r6VRu4k88lONvGkQR8KrRVrm9rLcx5wxkMpPs5vgqSmtO0aQy
9w0l4YXU0EWkP3qFl2FhxiC3r9QVfmBxeV4pmQvHRs0B/NL2bxsVarUxxPoVMP18
6UJoigEi0ykmVqezhQukxKjgRLAxhy/t3d0nWLbWTN6uEVgXXW6Sk3JP1EyUf10m
pQUCf+T8ZtKpkNutRsGwVgR7z1Iva6soXjbCymDmD6rZ7uwb04K3bZgc04fAHmv3
BJY9+xV/upFz5Qy5szdMXHiSPBXeZ7XNmmjRKNLGPn3VGQnZ4JTz5w==
=XDjy
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPWULNyh9+71yA2DNAQFsvwP+PFYv+YVc1oPA7OtwmAl7ctkYKTJvL8G/
JSEDV7MFQzQd61e6h52A8WkQJlwuI50pgjhLxErzj9wtJLFIExZcdRHDL8N093yR
na7Vb5F6OzOqSOBBPpFmkUhiNpz0t0PJt1jCF2oomszLrs+Eg3khQV1Y+gGcA83Z
Y2KfTJdO8Oc=
=9nUv
-----END PGP SIGNATURE-----