Re: FW: Microsoft Security Bulletin MS03-035

[Nick FitzGerald <nick () virus-l demon co uk>]

"Alex Mega" <korund () hotmail com> wrote:

> What is the essence of MS Word bug Microsoft Security Bulletin MS03-035: 
> Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)
> There are no details of bug nature in this bulletin, just general info. 
> What's, in fact, is this Word macro malfunction itself?

Basically there is a "magic bit" that is checked at an early level of 
the "macro security checking" process, but which is not checked at 
other levels of macro functionality __AND__ that is irrelevant to later 
functionality of any macros present.  Thus the early "are theer macros 
to worry about" check can decide "nope -- all clear" and then later 
parts of the file parsing will see the macros and process them.  This 
is especially problematic in this case as the "there are no macros to 
worry about" decision fails open, meaning that the macros that it can 
let "slip by" are processed as if approved by the security checking 
process when, in fact, they were unseen by it.

In short, as is so common with so many Microsoft "security" functions, 
the implementation of the security controls on a measure is almost 
entirely divorced from the actual implementation of the feature itself.

It seems clear that "fail safe" is not part of any standard design 
conception at MS, yet MS wonders why it keeps getting pinged for 
"clearly not understanding security basics".  How many more things like 
this will have to be found in MS products before the coders in Redmond 
accept that self-doubt is a necessary addition to their apparrently 
deluded self-image of "perfection"?


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html