Bugtraq mailing list archives
Microsoft Office 2000 Advisory
From: dildog () ATSTAKE COM (dildog)
Date: Fri, 12 May 2000 22:44:32 -0400
@Stake Inc. L0pht Research Labs www.atstake.com www.L0pht.com Security Advisory Advisory Name: Microsoft Office 2000 UA Control Scripting Release Date: 5-12-2000 Application: Microsoft Office 2000 Platform: Windows 95/98, NT 4.0 and 2000 Severity: Malicious active content can execute regardless of macro virus protection settings. Author: DilDog [dildog () atstake com] Vendor Status: Vendor contacted, official patch available Web: http://www.L0pht.com/advisories.html Overview: Microsoft Office 2000 ships with an ActiveX control named "Microsoft Office UA Control". It is installed by default and is categorized as being "safe for scripting". The control is undocumented, and its interfaces are presumably used to script "Show Me" demonstrations for Office 2000 help and 'office assistant' functionality. Analysis of the control's interface reveals functionality to script almost any action in Office 2000 that the user could perform from the keyboard, including, but not limited to, lowering the macro security settings to low. This action can be scripted from any HTML page viewed with active scripting enabled, including both Internet Explorer and Outlook e-mail in their default configurations. Detailed Description: The Microsoft Office UA control exports a powerful interface for automating commands withing the Office 2000 environment. The problem lies in the fact that the control should -not- be marked safe for scripting. The capabilities of this control are such that scripting it via remote HTML and email sources makes it extremely dangerous. A demonstration of the vulnerabilites associated with this control is provided below. The vulnerability demonstration performs the following actions: 1. Start instance of Microsoft Word by pointing a table frame to a word document URL with no macros or active content. 2. Programatically create UA control 3. Attach UA control to first instance of Microsoft Word 4. Make Word the active application 5. Show the Tools/Macro/Security dialog 6. Click on the 'LOW' security radio button 7. Click on the 'OK' button to confirm the change 8. Proceed to re-point a table frame to a word document URL with a macro, which runs without prompting. The fact that this control exists and is installed in this particular fashion would permit the construction of a worm of unparalleled devastation, as it would be able to turn off macro virus protection and 'script' it's way to all of the people in your address book. Temporary Solution: Disable Active Scripting in all Office 2000 applications, and in Internet Explorer. It is no longer sufficient to turn on macro virus protection, as this vulnerability allow those settings to be circumvented. Vendor Response And Official Patch:
From secure () microsoft com
"Wanted to let you know that the patch is now live at http://officeupdate.microsoft.com/info/ocx.htm, and the security bulletin is live at http://www.microsoft.com/technet/security/bulletin/ms00-034.asp." Proof-of-Concept Code: A demonstration of this vulnerability is available at: http://www3.l0pht.com/~dildog/ouahack/index.html This demonstration will set your Word 2000 macro security settings to 'LOW'. An option will be presented to set it back to 'HIGH' or 'MEDIUM'. The demonstration code is intentionally written to be harmless, but a worst case scenario could easily involve more malicious code to perform such actions as file modification, propagating worms and virii, or providing external access to internal network resources. dildog () atstake com [ For more advisories check out http://www.l0pht.com/advisories.html ] L-ZERO-P-H-T
Current thread:
- IE Domain Confusion Vulnerability, (continued)
- IE Domain Confusion Vulnerability Foo Bar (May 11)
- Overflow in Outlook Express 4.* - too long filenames with graphic format extension Ultor (May 12)
- Eudora Sensitive to Long Filenames Ron Moritz (May 18)
- IE Domain Confusion Vulnerability is an Email problem also Richard M. Smith (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Marc Slemko (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Richard M. Smith (May 15)
- Vulnerability in CGI counter 4.0.7 by George Burgyan Howard M. Kash III (May 15)
- Vulnerability in EMURL-based e-mail providers Pierre Benoit (May 15)
- New Solaris root exploit for /usr/lib/lp/bin/netpr Anonymous (May 12)
- Microsoft Security Bulletin (MS00-034) Microsoft Product Security (May 12)
- Microsoft Office 2000 Advisory dildog (May 12)