Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Excel and PowerPoint Macro Vulnerability October 8, 2001 20:00 GMT Number M-004 Revised: October 15, 2001 19:00 GMT ______________________________________________________________________________ PROBLEM: Excel and PowerPoint macros can be written to avoid detection by the macro security process. This vulnerability is the same as one that Microsoft published earlier for Word. PLATFORM: Microsoft Excel 98 for Macintosh Microsoft Excel 2000 for Windows Microsoft Excel 2001 for Macintosh Microsoft Excel 2002 for Windows Microsoft PowerPoint 98 for Macintosh Microsoft PowerPoint 2000 for Windows Microsoft PowerPoint 2001 for Macintosh Microsoft PowerPoint 2002 for Windows DAMAGE: Excel and PowerPoint may allow a specially formed document with macro code to run arbitrary malicious code without prior warning to the user. SOLUTION: Patch or upgrade as directed in the bulletin. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Circumvented macro security processes may ASSESSMENT: allow malicious macro code to run without prior warning. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-004.shtml ORIGINAL BULLETINS: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/bulletin/MS01-050.asp (Excel and PowerPoint) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/bulletin/MS01-034.asp (Word) PATCHES: Microsoft Excel 2000 for Windows: http://download.microsoft.com/download/excel2000/e2kmac/1/w98nt42kme/en- us/e2kmac.exe Microsoft Excel 2002 for Windows: http://download.microsoft.com/download/excel2002/exc1001/1/w98nt42kme/en- us/exc1001.exe Microsoft Excel 98 for Macintosh: http://www.microsoft.com/mac/download/office98/pptxlmacro.asp Microsoft Excel 2001 for Macintosh: http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp Microsoft PowerPoint 2000 for Windows: http://download.microsoft.com/download/powerpoint2000/p2kmac/1/w98nt42kme/en- us/p2kmac.exe Microsoft PowerPoint 2002 for Windows: http://download.microsoft.com/download/powerpoint2002/ppt1001/1/w98nt42kme/en- us/ppt1001.exe Microsoft PowerPoint 98 for Macintosh: http://www.microsoft.com/mac/download/office98/pptxlmacro.asp ______________________________________________________________________________ [****** Start Advisory ******] Microsoft Security Bulletin MS01-050 Malformed Excel or PowerPoint Document Can Bypass Macro Security Originally posted: October 04, 2001 Summary Who should read this bulletin: Customers using Microsoft(r) Excel or PowerPoint for Windows(r) or Macintosh(r) Impact of vulnerability: Run code of attacker's choice. Recommendation: Customers using affected versions of Excel and/or PowerPoint should apply the patch immediately. Affected Software: Microsoft Excel 2000 for Windows Microsoft Excel 2002 for Windows Microsoft Excel 98 for Macintosh Microsoft Excel 2001 for Macintosh Microsoft PowerPoint 2000 for Windows Microsoft PowerPoint 2002 for Windows Microsoft PowerPoint 98 for Macintosh Microsoft PowerPoint 2001 for Macintosh Technical details Technical description: Excel and PowerPoint have a macro security framework that controls the execution of macros and prevents macros from running automatically. Under this framework, any time a user opens a document the document is scanned for the presence of macros. If a document contains macros, the user is notified and asked if he wants to run the macros or the macros are disabled entirely, depending on the security setting. A flaw exists in the way macros are detected that can allow a malicious user to bypass macro checking. A malicious attacker could attempt to exploit this vulnerability by crafting a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it. The attacker could carry out this attack by hosting the malicious file on a web site, a file share, or by sending it through email. Mitigating factors: The macro code could not execute without the user's first opening the document. Vulnerability identifier: CAN-2001-0718 Tested Versions: Microsoft tested the following products to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Office 98 for Macintosh Office 2001 for Macintosh Office 2000 for Windows Office 2002 for Windows Frequently asked questions What's the scope of the vulnerability? This vulnerability could enable a malicious user to create specially formed Excel or PowerPoint files that would bypass macro security and execute automatically when the document is opened. Because macros by design can take any action that the user is able to take, this vulnerability could allow an attacker to take actions such as changing or deleting data, communicating with web sites, or changing the macro security settings. This would not be able to take any actions that the user is not normally capable of. As such, access controls that limit the user's abilities would also limit the ability of the malicious documents. Further, a successful attack would require that the user open the malicious document. Best practices recommend that users not open documents from unknown or untrusted sources. What causes the vulnerability? The vulnerability results because the macro detecting framework can fail to detect all instances in which the macro processor can execute macro commands. When a valid document is intentionally designed to obfuscate the presence of macros, it is still possible for those marcos to execute. What are macros? Macros are small programs within applications such as Excel and PowerPoint. When macros run, they can take actions within the application or the operating system as if they were the user. An example of a simple action a macro might take in an application would be to find and replace text within a document. A more sophisticated macro might include features that perform automatic formatting on a document, copy files from the local system to the network, and send review copies by email. Because macros are really small programs, it is possible for attackers to create malicious macros that take undesirable actions, such as deleting files, sending unwanted messages by email, or changing the data in documents. To help protect against malicious macros, Excel and PowerPoint have a security model that prevent macros from executing without warning. What's wrong with the macro protection in Excel and PowerPoint? It is possible for a malicious user to create a specially malformed Excel or PowerPoint document that would bypass the macro protections and allow macros to execute automatically. Is it possible to create a document like this by accident? No. It is not possible to create a document that bypasses macro protection by accident. It would require very specific, detailed knowledge and such a document would have to be specifically constructed with malicious intent. What could an attacker use this vulnerability to do? This could allow an attacker to craft a malicious document with macro code that would run automatically when the user opened the document. What actions could the malicious document take? Because macros take action on behalf of the user, a macro virus that ran would be able to take actions that the user himself is able to take, including changing or deleting files, sending data to external web sites, or reformatting the hard drive. It's important to highlight that this means that it is possible for a macro virus to reset the user's security settings. A successful macro virus attack could leave a system vulnerable to future attack by disabling the security settings. How would an attacker carry out an attack against this vulnerability? An attacker could carry out an attack by several different routes. She could host a malicious document on a web site internally or on the Internet. She could place a malicious document on any file server to which she had appropriate permissions. Additionally, she could target specific individuals by sending a copy through email. It's important to note that all attempts to carry out an attack require the potential victim to open the document. It is not possible to exploit this vulnerability without the user's action. Opening documents only from known, trusted sources will help to protect against an attempt to maliciously exploit this vulnerability. What does the patch do? The patch eliminates the vulnerability by improving the code which detects the presence of macros in these document types. Who should apply the patch? Anyone using or administering systems running the affected software versions should apply the patch I'm running Excel 97 and/or PowerPoint 97, does this issue affect me? First, it's important to understand that Excel and PowerPoint 97 do not have the same macro security framework as Excel and PowerPoint 2000 and 2002. The Excel and PowerPoint 97 macro security framework lacks many key features that the 2000 and 2002 macro security framework has, including a digital signature trust model that allows trusted, signed macros to be differentiated from untrusted, unsigned macros. Under this older framework, it is difficult for a user to make an informed decision regarding the trustworthiness of macros. In addition, as noted under "Tested Versions", Excel and PowerPoint 97 are no longer supported products. Because of these two issues, customers who are concerned about macro security are urged to upgrade to a support version with a more robust macro security model. Are other members of the Office Suite vulnerable? No. All members of the Office Suites for Windows and Macintosh were tested. No other products in the Office Suite were found to be vulnerable. Patch availability Download locations for this patch Microsoft Excel 2000 for Windows: http://download.microsoft.com/download/excel2000/e2kmac/1/w98nt42kme/en- us/e2kmac.exe Microsoft Excel 2002 for Windows: http://download.microsoft.com/download/excel2002/exc1001/1/w98nt42kme/en- us/exc1001.exe Microsoft Excel 98 for Macintosh: http://www.microsoft.com/mac/download/office98/pptxlmacro.asp Microsoft Excel 2001 for Macintosh: http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp Microsoft PowerPoint 2000 for Windows: http://download.microsoft.com/download/powerpoint2000/p2kmac/1/w98nt42kme/en- us/p2kmac.exe Microsoft PowerPoint 2002 for Windows: http://download.microsoft.com/download/powerpoint2002/ppt1001/1/w98nt42kme/en- us/ppt1001.exe Microsoft PowerPoint 98 for Macintosh: http://www.microsoft.com/mac/download/office98/pptxlmacro.asp Microsoft PowerPoint 2001 for Macintosh: http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp Additional information about this patch Installation platforms: These patches can be installed on systems running Excel or PowerPoint 2000 SR-1 or SP2 for Windows and systems running Excel or PowerPoint 98 or 2001 for Macintosh. Inclusion in future service packs: The fix for this issue will be included in Office XP Service Pack 1. Reboot needed:No Superseded patches: None. Verifying patch installation: Microsoft Excel 2000 for Windows: Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 9.0.5519. Microsoft Excel 2002 for Windows: Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 10.3207.2625. Microsoft PowerPoint 2000 for Windows: Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 9.0.5519. Microsoft PowerPoint 2002 for Windows: Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 10.3207.2625. Microsoft Excel and PowerPoint 98 for Macintosh: Select the file in the Finder, From the File menu, choose "Get Info", and verify that the version shown is 9.0.1 (3618). Microsoft Excel and PowerPoint 2001 for Macintosh: Select the file in the Finder, From the File menu, choose "Get Info", and verify that the description shown is "2001 Security Update". Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Obtaining other security patches". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks Peter Ferrie of Symantec Security Response (http://securityresponse.symantec.com) for reporting this issue to us and working with us to protect customers. Support: Microsoft Knowledge Base articles Q306603, Q306604, Q306605, Q306606 discuss these issues and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (October 04, 2001): Bulletin Created. [****** End Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-138: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability L-139: Microsoft IIS "%u encoding IDS bypass vulnerability" L-140: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability L-141: RSA BSAFE SSL-J 3.x Vulnerability L-142: RPC Endpoint Mapper Vulnerability L-143: HP libsecurity Vulnerability L-144: The W32.nimda Worm M-001: Cisco Secure IDS Signature Obfuscation Vulnerability M-002: Multi-Vendor format String Vulnerability in ToolTalk Service M-003: Hewlett-Packard rpcbind Security Vulnerability