
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                    Microsoft Word and Excel Vulnerabilities
                     [Microsoft Security Bulletin MS03-050]

November 11, 2003 19:00 GMT                                       Number O-023
______________________________________________________________________________
PROBLEM:       EXCEL - A security vulnerability that could allow malicious 
               code execution exists in the Microsoft Excel method used to 
               check the spreadsheet before reading the macro instructions.
                
               WORD - A security vulnerability that could allow malicious code 
               execution in Microsoft Word exists due to to the way Word 
               checks the length of a data value (Macro names) embedded in a 
               document. 
PLATFORM:      Microsoft Excel 97 
               Microsoft Excel 2000 
               Microsoft Excel 2002 
               Microsoft Word 97 
               Microsoft Word 98(J) 
               Microsoft Word 2000 
               Microsoft Works Suite 2001 
               Microsoft Word 2002 
               Microsoft Works Suite 2002 
               Microsoft Works Suite 2003 
               Microsoft Works Suite 2004 
DAMAGE:        EXCEL - an attacker could craft a malicious file that could 
               bypass the macro security model. Having access to the same 
               permissions as the user, the malicious macro could perform 
               various actions. 
               
               WORD - If a specially crafted document were to be opened it 
               could overflow a data value in Word and allow arbitrary code 
               to be executed. Having access to the same permissions as the 
               user, the attacker could perform various actions. 
SOLUTION:      Apply patches as recommended by Microsoft. 
               EXCEL - This patch replaces the security patches contained in 
               the following bulletins: MS01-050(CIAC Bulletin M-004), 
               MS02-031, and MS02-059. 
               
               WORD - This patch replaces the security patches contained in 
               the following bulletins: MS02-021(CIAC Bulletin M-073), 
               MS02-031, MS02-059 and MS03-035(CIAC Bulletin N-142). 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. These vulnerabilities could only be 
ASSESSMENT:    exploited by an attacker who persuaded a user to open a 
               malicious file. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-023.shtml 
 ORIGINAL BULLETIN:  http://www.microsoft.com/technet/treeview/default.asp?
                       url=/technet/security/bulletin/ms03-050.asp 
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CAN-2003-0820 
                     CAN-2003-0821 
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-050 *****]

Microsoft Security Bulletin MS03-050 

Vulnerability in Microsoft Word and Microsoft Excel Could Allow 
Arbitrary Code to Run (831527)
Issued: November 11, 2003
Version: 1.0

See all Office bulletins released November, 2003

Summary
Who should read this document: Customers who are using Microsoft® Excel 
or Microsoft Word 

Impact of vulnerability: Run code of attackers choice

Maximum Severity Rating: Important

Recommendation: Customers who are using the affected versions of Microsoft 
Excel or Microsoft Word should apply the appropriate security update at 
the earliest opportunity. 

Security Update Replacement Excel: This patch replaces the security patches 
contained in the following bulletins: MS01-050, MS02-031 and MS02-059. 

Security Update Replacement Word: This patch replaces the security patches 
contained in the following bulletins: MS02-021, MS02-031, MS02-059 and 
MS03-035. 

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software: 

Microsoft Excel 97 - Download the update 
Microsoft Excel 2000 - Download the update 
Microsoft Excel 2002 - Download the update 
Microsoft Word 97 - Download the update 
Microsoft Word 98(J) - Download the update 
Microsoft Word 2000 and Microsoft Works Suite 2001 - Download the update 
Microsoft Word 2002, Microsoft Works Suite 2002, Microsoft Works Suite 2003, 
and Microsoft Works Suite 2004 - Download the update 

Non Affected Software: 

Microsoft Office Word 2003 
Microsoft Office Excel 2003 

The software listed above has been tested to determine if the versions are 
affected. Other versions are no longer supported, and may or may not be 
affected.

Technical Details
Technical description:

A security vulnerability exists in Microsoft Excel that could allow 
malicious code execution. This vulnerability exists because of the 
method Excel uses to check the spreadsheet before reading the macro 
instructions. If successfully exploited, an attacker could craft a 
malicious file that could bypass the macro security model. If an 
affected spreadsheet was opened, this vulnerability could allow a 
malicious macro embedded in the file to be executed automatically, 
regardless of the level at which the macro security is set. The 
malicious macro could then take the same actions that the user had 
permissions to carry out, such as adding, changing or deleting data 
or files, communicating with a web site or formatting the hard drive. 

A security vulnerability exists in Microsoft Word that could allow 
malicious code execution. This vulnerability exists due to to the 
way Word checks the length of a data value (Macro names) embedded 
in a document. If a specially crafted document were to be opened 
it could overflow a data value in Word and allow arbitrary code to 
be executed. If successfully exploited, an attacker could then take 
the same actions as the user had permissions to carry out, such as 
adding, changing or deleting data or files, communicating with a web 
site or formatting the hard drive. 

Mitigating factors: 

If a user of Office 97 or Office 2000 has installed the Office Documentation 
Open Confirm Tool, the user will always get a “file open” warning dialog 
box when trying to open an Office document using Internet Explorer. For 
Office XP and Office System 2003 this “file open” warning dialog box is 
enabled by default. 

These vulnerabilities could only be exploited by an attacker who persuaded 
a user to open a malicious file – there is no way for an attacker to force 
a user to open a malicious file. 

Severity Rating:

Microsoft Excel 97         Important 
Microsoft Excel 2000       Important 
Microsoft Excel 2002       Important 
Microsoft Word 97          Important 
Microsoft Word 98(J)       Important 
Microsoft Word 2000        Important 
Microsoft Word 2002        Important 
Microsoft Works Suite 2001 Important 
Microsoft Works Suite 2002 Important 
Microsoft Works Suite 2003 Important 
Microsoft Works Suite 2004 Important 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier Word: CAN-2003-0820
Vulnerability identifier Excel: CAN-2003-0821

Workarounds
Due to the fact that this vulnerability bypasses the built-in macro 
security, the best workaround if you are unable to deploy the update 
is to not open documents from un-trusted sources.


Security Update Information
For information about the specific security update for your platform, 
click the appropriate link: 

For Microsoft Works Suite 2001 use the Word 2000 section 

For Microsoft Works Suite 2002, 2003 and 2004 update use the Word 2002 
section 

Acknowledgments

Microsoft thanks for working with us to protect customers: 

Kazuyuki Housaka for reporting the issue in Excel. 

Obtaining other security updates:

Updates for other security issues are available from the following locations: 

Security updates are available from the Microsoft Download Center, and can 
be most easily found by doing a keyword search for "security_patch". 

Updates for consumer platforms are available from the WindowsUpdate web 
site 

Support: 

Technical support is available from Microsoft Product Support Services at 
1-866-PCSAFETY. There is no charge for support calls associated with 
security patches.

International customers can get support from their local Microsoft 
subsidiaries. There is no charge for support associated with security 
updates. Information on how to contact Microsoft support is available 
at http://support.microsoft.com/common/international.aspx 

Security Resources: 
The Microsoft TechNet Security Web Site provides additional information about 
security in Microsoft products. 

Microsoft Software Update Services: 
http://www.microsoft.com/sus/">http://www.microsoft.com/sus/">
http://www.microsoft.com/sus/ 

Microsoft Baseline Security Analyzer (MBSA) details: 
http://www.microsoft.com/technet/security/tools/mbsahome.asp. 
Please see 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 
for list of security updates that have detection limitations with MBSA tool.
 
Windows Update Catalog: 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 

Windows Update: http://windowsupdate.microsoft.com 

Office Update: http://office.microsoft.com/officeupdate/ 
Software Update Services (SUS):

Microsoft Software Update Services (SUS) enables administrators to 
quickly and reliably deploy the latest critical updates and security 
updates to Windows® 2000 and Windows Server™ 2003-based servers, as 
well as to desktop computers running Windows 2000 Professional or 
Windows XP Professional.

For information about how to deploy this security patch with Software 
Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/sus/

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security 
update. For information about Systems Management Server visit the SMS Web 
Site. SMS also provides several additional tools to assist administrators 
in the deployment of security updates such as the SMS 2.0 Software Update 
Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 
2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline 
Security Analyzer and the Microsoft Office Detection Tool to provide broad 
support for security bulletin remediation. Some software updates may require 
administrative rights following a restart of the computer.

Note: The inventory capabilities of the SMS 2.0 Software Update Services 
Feature Pack may be used for targeting updates to specific computers, and 
the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool 
can be used for installation. This provides optimal deployment for updates 
that require explicit targeting using Systems Management Server and 
administrative rights after the computer has been restarted.

Disclaimer: 

The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, 
even if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

V1.0 (November 11, 2003): Bulletin published 

[***** End Microsoft Security Bulletin MS03-050 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation  for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-013: Buffer Overflow in Oracle Binary
O-014: SGI Wildcard Exportfs Issue in Network File SYstem (NFS)
O-015: Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities
O-016: Apache HTTP Server 1.3.29 Release Fixes Security Vulnerability
O-017: SQL Injection Vulnerability in Oracle9i Application Server
O-018: Hewlett Packard Java VM Classloader (J2SE)
O-019: Hewlett Packard NLSPATH may contain any path
O-020: Sun Buffer Overflow Vulnerability in the CDE DtHelp Library
O-021: Microsoft Cumulative Security Update for Internet Explorer
O-022: Microsoft Buffer Overrun Vulnerability in Workstation Service