Fwd: Microsoft Word macro vulnerability advisory MS01-034

["Steven McLeod" <stevenmcleod () hotmail com>]

Hi,

Within minutes of Microsoft posting the bulletin on their site, my mailbox 
was swamped with emails from people asking the same two questions.  I am 
therefore forwarding the below email (minus the sample document!) to the 
BugTraq mailing list to reach a wide audience and answer the two questions I 
keep getting asked:

1) Reporters asking when I notified Microsoft of the issue.  As you can see 
below, it was the 23rd of April.  Yes, I know, it was before Office XP/2002 
even went on sale.

2) People asking for a sample document which defeats the macro checking.  I 
think the most responsible course of action is to give users a chance to 
download the patch and/or antivirus updates before making an example 
available.  SecurityFocus will no doubt make my sample document available at 
the URL http://www.securityfocus.com/bid/2876 after users have had a chance 
to protect themselves.

Regards,
Steven McLeod.


> From: "Steven McLeod" <stevenmcleod () hotmail com>
> To: aleph1 () securityfocus com
> CC: russ.cooper () rc on ca, virus_support () mcafee com, virus_research () nai com, 
> virus_doctor () trendmicro com, samples () F-Secure com, ywee () symantec com, 
> support () sophos com, newvirus () kaspersky com, secure () microsoft com
> Subject: Microsoft Word macro vulnerability advisory MS01-034
> Date: Fri, 22 Jun 2001 14:28:52 -0000
> MIME-Version: 1.0
> X-Originating-IP: [210.84.112.186]
> Received: from 210.84.112.186 by lw11fd.law11.hotmail.msn.com with 
> HTTP;Fri, 22 Jun 2001 14:28:52 GMT
>
>
> Hi,
>
> I am sending this email to complement Microsoft's Word macro vulnerability 
> advisory just published at 
> http://www.microsoft.com/technet/security/bulletin/MS01-034.asp
>
> Attached to this email is the sample I sent Microsoft when I alerted them 
> to this issue.
>
> I am also forwarding this email with the sample included to the major 
> antivirus vendors for them to examine.
>
> I will leave it up to SecurityFocus' good judgment as to when the sample 
> file should be included in the "exploit" section of your vulnerability 
> database so that system administrators can test their systems after 
> applying Microsoft's patch.  Looking at the structure of your site, I 
> assume that this sample document will reside at 
> http://www.securityfocus.com/bid/2876
>
> I would like to take this opportunity to thank (in no particular order) 
> Alex Uy, Eric Schultze and Scott Culp (Microsoft Security Response Center), 
> Elias Levy (Mr BugTraq), and Russ Cooper (Mr NTBugTraq) for their comments 
> and assistance with this issue.
>
> Regards,
> Steven McLeod.
>
> > From: "Steven McLeod" <stevenmcleod () hotmail com>
> > To: secure () microsoft com
> > Subject: Macro Viruses
> > Date: Mon, 23 Apr 2001 09:44:20 -0000
> >
> > Hi,
> >
> > When you open a Microsoft Word document which contains macros,
> > the default security level causes MS Word to pop up a message
> > box stating "This document contains macros, which could be a
> > virus" and allows the user to "Disable macros" or "Enable macros".
> >
> > Alternatively, if the user's macro security is set to the most
> > secure setting (requiring macros to be signed) all untrusted macros
> > will automatically be stripped out from the document.
> >
> > This macro security feature of MS Word (in Office 2000 and Office
> > 97) can be trivially bypassed by a malicious document, allowing
> > macro code in the document to be run when the document is opened
> > without prompting the user or notifying them that the document
> > contains macros.  Furthermore, the macro will be run without user
> > knowledge even if the user's security setting is at the highest
> > setting (automatically strip out untrusted macros).
> >
> > I have attached a sample document to this email.
> >
> > Is this a known issue?
> >
> > Regards,
> > Steven McLeod.

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.