MS Sec Notification mailing list archives

Microsoft Security Bulletin MS02-059: Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008)

From: "Microsoft" <0_38958_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>
Date: Wed, 16 Oct 2002 18:03:37 -0700
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Flaw in Word Fields and Excel External Updates Could 
Lead to Information Disclosure (Q330008)
Date:       16 October 2002
Software:   Microsoft(r) Word and Microsoft(r) Excel
Impact:     Information Disclosure
Max Risk:   Moderate
Bulletin:   MS02-059

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-059.asp.
- ----------------------------------------------------------------------

Issue:
======
Word and Excel provide a mechanism through which data from one 
document can be inserted to and updated in another document. This 
mechanism, known as field codes in Word and external updates in 
Excel, can be automated to reduce the amount of manual effort 
required by a user. An example of the use of Word field codes could 
be the automatic insertion of a standard disclaimer paragraph in a 
legal document. An example of the use of external updates in Excel 
could be the automatic updating of a chart in one spreadsheet using 
data in a different spreadsheet. 

A vulnerability exists because it is possible to maliciously use 
field codes and external updates to steal information from a user 
without the user being aware. Certain events can trigger field code 
and external update to be updated, such as saving a document or by 
the user manually updating the links. Normally the user would be 
aware of these updates occurring, however a specially crafted field 
code or external update can be used to trigger an update without any 
indication to the user. This could enable an attacker to create a 
document that, when opened, would update itself to include the 
contents of a file from the user's local computer. 

In order for an attacker to take advantage of this vulnerability, 
the attacker would need to perform the following steps: 

 -Craft a Word or Excel document that exploits the vulnerability 
 -Deliver it to the user, via email or some other method 
 -Entice the user to open the document 
 -Return the document to the attacker. (Microsoft is aware of one 
 case in which it would not be necessary for the user to do this. 
 There is  one method through which the attacker's document could 
 post  information directly to a web site, but it would only allow 
 the first  line of the file to be sent)

Mitigating Factors:
====================
- - The attacker would need to know the location of the file that he or
 she wanted to steal. If the correct filename were not presented, 
 the attack would fail and an invalid field error message would be 
 present in the document.
- - The user could always view the field codes or external updates. The
 field codes or external updates used in the attack can be revealed, 
 as they are only hidden to prevent cluttering the document when it 
 is  being viewed or edited. A method of checking documents for 
 additional undesired information is described in the Frequently 
 Asked Questions below. 
- - Although the attacker could take some steps to obscure the stolen 
 information, the attacker would leave a clear audit trail. Since 
 the field codes or external updates can be viewed, even if an attack
 is successful, the attacker would leave clear evidence in the 
 document in the form of the stolen information and the malicious 
 field codes used. This evidence could be used by law enforcement 
 agencies if  required 
- - The vulnerability would not enable the attacker to delete, modify 
 or add any files to the user's local system. 
- - In virtually all circumstances, the attacker would need to entice 
 the user into returning the document. No information would be 
 revealed unless the user returned the document to the attacker.

Risk Rating:
============
 - Internet systems: None
 - Intranet systems: None
 - Client systems: Moderate

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-059.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN 
NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR 
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR 
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO 
THE 
FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPa2ZzY0ZSRQxA/UrAQHcXAf+I+gQmAv/O9eAtJ7VygEYjZWY0WOHy1od
XULm2U8r0jdGJuRaqKxXVkk98ZVhfZdDUwTyJSAMA9NIo7DqlL591k5TX5k2rqjn
SnNheHac5cEdIjnC1BUNoYvFq9FopMCaI+vuR2mYMCpR9MzYBEIpgg0DKddvX9L3
Ug4ObBN/vGkWSDTbyyTWPgTNJV0njPBy+ZAwbYoS9PHbYFQui/oSRDxPzACv9/92
kA9R+OREra0Zc61wxawtoHCsXJed4MIYnNfLcq4GQsYiqKrB5b8UllHT/jA7uOcl
pI+H56GhimHalSQZj8Mrj390jYKev9usqR6SeVKM0/7vUTa+Etp0qA==
=+HVg
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.
Current thread:

Microsoft Security Bulletin MS02-059: Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008) Microsoft (Oct 16)