__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Office Web Components Vulnerabilities [Microsoft Security Bulletin MS02-044] August 23, 2002 21:00 GMT Number M-117 ______________________________________________________________________________ PROBLEM: Office Web Components (OWC) is a component of several Microsoft products and provides Microsoft Office functionality within a Web browser. There are three new vulnerabilities in the Active X controls that result from implementation errors in the methods and functions that the controls expose. PLATFORM: Office Web Components 2000, Office Web Components 2002 DAMAGE: A remote attacker could issue commands against the user's system; could read files on the user's machine; could gain access to whatever data is in the Windows clipboard. SOLUTION: Apply appropriate patch for Microsoft product as prescribed in Microsoft's Security Bulletin. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The most serious vulnerability could allow ASSESSMENT: an attacker to execute arbitrary commands on a user's system. Also, an attacker could easily integrate the vulnerability into mass-emailing Internet worms. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-117.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/ms02-044.asp PATCHES: General Patch: http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;Q322382 Microsoft Project 2002: http://office.microsoft.com/downloads/2002/prj1001.aspx Microsoft Project Server 2002: http://office.microsoft.com/downloads/2002/ps1001en.aspx Office Web Components Download: http://office.microsoft.com/downloads/2002/owc10.aspx ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-044 *****] Unsafe Functions in Office Web Components (Q328130) Originally posted: August 21, 2002 Summary Who should read this bulletin: All customers using Office Web Components, which is available as a stand-alone download and included as part of the Microsoft® products detailed below. Impact of vulnerability: Three vulnerabilities, the most serious of which could allow an attacker to run commands on the user's system. Maximum Severity Rating: Critical Recommendation: Customers using these products should install the appropriate patches immediately. Affected Software: Microsoft Office Web Components 2000 Microsoft Office Web Components 2002 Products which Include the Affected Software: Microsoft BackOffice® Server 2000 Microsoft BizTalk® Server 2000 Microsoft BizTalk Server 2002 Microsoft Commerce Server 2000 Microsoft Commerce Server 2002 Microsoft Internet Security and Acceleration Server 2000 Microsoft Money 2002 Microsoft Money 2003 Microsoft Office 2000 Microsoft Office XP Microsoft Project 2002 Microsoft Project Server 2002 Microsoft Small Business Server 2000 Technical details Technical description: The Office Web Components (OWC) contain several ActiveX controls that give users limited functionality of Microsoft Office in a web browser without requiring that the user install the full Microsoft Office application. This allows users to utilize Microsoft Office applications in situations where installation of the full application is infeasible or undesirable. The control contains three security vulnerabilities, each of which could be exploited either via a web site or an HTML mail. The vulnerabilities result because of implementation errors in the following methods and functions the controls expose: Host(). This function, by design, provides the caller with access to applications’ object models on the user’s system. By using the Host() function, an attacker could, for instance, open an Office application on the user’s system and invoke commands there that would execute operating system commands as the user. LoadText(). This method allows a web page to load text into a browser window. The method does check that the source of the text is in the same domain as the window, and in theory should restrict the page to only loading text that it hosts itself. However, it is possible to circumvent this restriction by specifying a text source located within the web page’s domain, and then setting up a server-side redirect of that text to a file on the user’s system. This would provide an attacker with a way to read any desired file on the user’s system. Copy()/Paste(). These methods allow text to be copied and pasted. A security vulnerability results because the method does not respect the “disallow paste via script” security setting in IE. Thus, even if this setting had been selected, a web page could continue to access the copy buffer,and read any text that the user had copied or cut from within other applications. The patch does not set "kill bit" on the control, for reasons discussed in the FAQ. Mitigating factors: Overall: In the case of the web-based attack, an attacker would need to force a user to visit the attacker’s Web site. Users who exercise caution in visiting web sites could minimize their risk. In the web based attack, If ActiveX controls have been disabled in the zone in which the page were viewed, the vulnerability could not be exploited. Users who place untrusted sites in the Restricted Sites zone, which disables ActiveX by default, or have disabled ActiveX controls in the Internet zone could minimize their risk. In the case of HTML email based attacks, customers who read email in the Restricted Sites zone would be protected against attempts to exploit this vulnerability. Customers using Outlook 2002 and Outlook Express 6.0, as well as Outlook 2000 and Outlook 98 customers who have applied the Outlook Email Security Update would thus be protected by default. Also, Outlook Express 5.0 customers who have chosen to read mail in the Restricted Sites zone would be protected by default. In the HTML email based attack, Outlook 2002 customers who have enabled the "Read as Plain Text" option available in SP1 or later would also be protected. Host() Vulnerability: The attacker's code would be limited by restrictions on the user's account. Users of non-privileged accounts would limit the potential damage from a successful attack. LoadText(): The attacker would need to know the full path and name of the file. Copy()/Paste(): The vulnerability could enable an attacker to access only to information in the Windows clipboard. The information in the clipboard is unpredictable and this vulnerability gives no means for an attacker to target and retrieve specific information. Further, it is possible for the clipboard to be empty, which would yield an attacker nothing. The security setting in question is not enabled by default. Thus, the vulnerability does not present a threat to the default installation. Host() Vulnerability: Internet Servers IntranetServers Client Systems Office Web Components 2000 Moderate Moderate Critical Office Web Components 2002 Moderate Moderate Critical LoadText() Vulnerability: Internet Servers IntranetServers Client Systems Office Web Components 2000 Low Low Critical Office Web Components 2002 Low Low Critical Copy()/Paste() Vulnerability: Internet Servers IntranetServers Client Systems Office Web Components 2000 Low Low Low Office Web Components 2002 Low Low Low Aggregate Severity of All Vulnerabilities Addressed by this patch: Office Web Components 2000 Moderate Moderate Critical Office Web Components 2002 Moderate Moderate Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. While the OWC are installed in conjunction with server products, best practices recommends against the usage patterns, visiting untrusted web sites and reading HTML email, required to exploit these vulnerabilities on servers. Vulnerability identifiers: Host() Vulnerability: CAN-2002-0727 LoadText() Vulnerability: CAN-2002-0860 Copy()/Paste() Vulnerability: CAN-2002-0861 Tested Versions: Microsoft tested the following products Office Web Components 2000 and Office Web Components 2002 to assess whether they are affected by this vulnerability. There were no previous versions of OWC. In addition, Microsoft investigated all supported versions of the software listed in the "Products which Includes the Affected Software" section to determine whether they included the vulnerable software. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch Microsoft recommends that users install the Office XP SP2 update using the Office Product Updates site. General Patch: http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;Q322382 Microsoft Project 2002: http://office.microsoft.com/downloads/2002/prj1001.aspx Microsoft Project Server 2002: http://office.microsoft.com/downloads/2002/ps1001en.aspx Office Web Components Download: http://office.microsoft.com/downloads/2002/owc10.aspx Additional information about this patch Installation platforms: General Patch: Microsoft BackOffice Server 2000 Gold or later Microsoft BizTalk Server 2000 Gold or later Microsoft BizTalk Server 2002 Gold or later Microsoft Commerce Server 2000 Gold or later Microsoft Commerce Server 2002 Gold or later Microsoft Internet Security and Acceleration Server 2000 Gold or later Microsoft Money 2002 or later Microsoft Money 2003 or later Microsoft Office 2000 Gold or later Microsoft Office XP Gold or later Microsoft Project Server 2002 Gold or later Microsoft Small Business Server 2000 Gold or later Microsoft Project 2002 Patch: Microsoft Project 2002 Gold or later Microsoft Project Server 2002 Patch: Microsoft Project Server 2002 Gold or later Inclusion in future service packs: The fix for this issue is included in Office XP Service Pack2. Reboot needed: No reboot is required if all Office applications are closed when the patch is applied. Patch can be uninstalled: No Superseded patches: None. Verifying patch installation: General patch: Verify the file versions as discussed in Q322382. Microsoft Project 2002 patch: Verify the file versions as discussed in Q328043. Microsoft Project Server 2002 patches: Verify the file versions as discussed in Q328044. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site Other information: Support: Microsoft Knowledge Base article Q328130 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidentaldamages so the foregoing limitation may not apply. Revisions: V1.0 (August 21, 2002): Bulletin Created. V1.1 (August 22, 2002): Bulletin updated to correct factual error regarding the type of files that can be read using the LoadText() method. [***** End Microsoft Security Bulletin MS02-044 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation and Internet Security Systems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-107: Unchecked Buffer in Content Management Server M-108: Vulnerability in HP Apache Server PHP M-109: Common Desktop Environment (CDE) ToolTalk Buffer Overflow M-110: Buffer Overflow in Multiple Domain Name System (DNS) Libraries M-111: Integer Overflow in External Data Representation (XDR) Library M-112: Microsoft Cumulative Patch for SQL Server M-113: Microsoft Network Connection Manager (NCM) Flaw Could Enable Privilege Elevation M-114: Apache 2.0 Path Disclosure Vulnerability M-115: Novell NetWare 6.0 RConsoleJ Authentication Bypass Vulnerability M-116: Microsoft Cumulative Patch for Internet Explorer