View Source

Original release date: October 08, 2001<BR>
Last revised: Mon Oct 15 09:32:36 EDT 2001<BR>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

Systems running:
<UL>
<LI>Windows
<UL>
<LI>Microsoft Excel 2000  
<LI>Microsoft Excel 2002 
<LI>Microsoft PowerPoint 2000
<LI>Microsoft PowerPoint 2002 
</UL>
<br>
<LI>Macintosh
<UL>
<LI>Microsoft Excel 98 
<LI>Microsoft Excel 2001 
<LI>Microsoft PowerPoint 98 
<LI>Microsoft PowerPoint 2001 
</UL></UL>
</UL>
<br>

<p>

According to Microsoft, versions of Excel and PowerPoint (or indeed, other products in the
Office suite) prior to this may be affected, but may be outside of
hotfix support. [For example, Symantec <a
href="http://securityresponse.symantec.com/avcenter/security/Content/2001.10.04.html">
states</a> that Microsoft Excel 97 and Microsoft Powerpoint 97 are
vulnerable.] Because Microsoft Excel 97 and Microsoft Powerpoint 97 are
outside of the hotfix support window, these products may be
vulnerable, but not eligible for a hotfix. For more information
regarding hotfix eligibility status, please see the <a
href="http://support.microsoft.com/directory/discontinue.asp">Microsoft
Product Support Services</a> webpage. In general,
Microsoft no longer tests software outside of hotfix status for vulnerabilities,
and does not provide patches to address vulnerabilities that may be
discovered in that software.
<p>

<b>Quoting from Microsoft Security Bulletin MS01-050</b>
</p>
<p>

<i>It's important to understand that Excel and PowerPoint 97 do
not have the same macro security framework as Excel and PowerPoint
2000 and 2002. The Excel and PowerPoint 97 macro security framework
lacks many key features that the 2000 and 2002 macro security
framework has, including a digital signature trust model that allows
trusted, signed macros to be differentiated from untrusted, unsigned
macros. Under this older framework, it is difficult for a user to make
an informed decision regarding the trustworthiness of macros.  In
addition, as noted under "Tested Versions", Excel and PowerPoint 97
are no longer supported products. Because of these two issues,
customers who are concerned about macro security are urged to upgrade
to a support version with a more robust macro security model.</i>
</p>
</p>


<A NAME="overview">
<H2>Overview</H2>

<P>
An intruder can include a specially crafted macro in a Microsoft Excel
or PowerPoint document that can avoid detection and run automatically
regardless of the security settings specified by the user.
</P>

<A NAME="description">
<H2>I. Description</H2> 

<P>

Microsoft Excel and PowerPoint scan documents when they are opened and
check for the existence of macros. If the document contains macros,
the user running Excel or PowerPoint is alerted and asked if he would
like the macros to be run. However, Microsoft Excel and PowerPoint may
not detect malformed macros, so a user can unknowingly run macros
containing malicious code when opening an Excel or PowerPoint
document.

<p>An intruder who can entice or deceive a victim into opening a
document using a vulnerable version of Excel or PowerPoint could
take any action the victim could take, including, but not limited to

<ul>
<li>reading, deleting, or modifying data, either locally or on open
file shares</li>
<li>modifying security settings (including macro virus protection
settings)</li>
<li>sending electronic mail</li>
<li>posting data to or retrieving data from web sites</li>
</ul>

<p>For more information, please see

<dl>
<dd>
<A href="http://securityresponse.symantec.com/avcenter/security/Content/2001.10.04.html">http://securityresponse.symantec.com/avcenter/security/Content/2001.10.04.html</a>
<dd>
<a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp</a>
</p>
</dd>
</dl>

<P>Given the strong potential for widespread abuse of this
vulnerability, we strongly recommend that you apply patches as soon as
you are able. For example, the Melissa virus which spread in March of
1999 used social engineering to convince victims to execute a macro
embedded in a Microsoft Word document. For more information, see the
CERT/CC Advisory listed below.

<dl>
<dd>
<a href="http://www.cert.org/advisories/CA-1999-04.html">http://www.cert.org/advisories/CA-1999-04.html</a>
</p>
</dd>
</dl>

<p>As a general practice, everyone should be aware of the potential
damage that Trojan horses and other kinds of malicious code can cause
to <i>any</i> platform. For more information, see

<dl>
<dd><A
HREF="http://www.cert.org/advisories/CA-1999-02.html">http://www.cert.org/advisories/CA-1999-02.html</a>
</dd>
</dl>


<P>This vulnerability has been assigned the identifier CAN-2001-0718
by the Common Vulnerabilities and Exposures (<a href="http://cve.mitre.org/">CVE</a>) group:
 
<dl>
<dd><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718</a>
</dd>
</dl>
</p>

<A NAME="impact">
<H2>II. Impact</H2>

<p>
An attacker can execute arbitrary code on the target system with the
privileges of the victim running Excel or PowerPoint.</p>

<A NAME="solution">
<H2>III. Solution</H2>

<p>
<H4>Apply a patch</H4> <A HREF="#vendors">Appendix A</a> contains
information from vendors who have provided information for this
advisory.  We will update the appendix as we receive more
information. If a vendor's name does not appear, then the CERT/CC did
not hear from that vendor.  Please contact your vendor directly.

<p>Until a patch can be applied, and as a general practice, we
recommend using caution when opening attachments. However, it is important to
note that relying on the "From" line in an electronic mail message is
not sufficient to authenticate the origin of the document. 

<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>

<P>This appendix contains information provided by vendors for this advisory.  When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history.  If a particular vendor is not listed below, we have not received their comments.</P>

<p>
<A NAME="microsoft">
<H4>Microsoft Corporation</H4>
<p>See <a
href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp">Microsoft
Security Bulletin MS01-050</a></p>
<!-- end vendor -->

</p>

<A NAME="references"><H2>Appendix B. - References</H2></A>

<ol>
<li><A href="http://securityresponse.symantec.com/avcenter/security/Content/2001.10.04.html">http://securityresponse.symantec.com/avcenter/security/Content/2001.10.04.html</a>
<li><a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp</a><br>
<li><a href="http://www.kb.cert.org/vuls/id/287067">http://www.kb.cert.org/vuls/id/287067</a><BR>
<li><a
href="http://www.cert.org/advisories/CA-1999-04.html">http://www.cert.org/advisories/CA-1999-04.html</a><br>
<li><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718</a>
</ol>
	
<HR>

<HR NOSHADE>

<P>The CERT Coordination Center thanks Peter Ferrie and <a href="http://securityresponse.symantec.com">Symantec Security Response</a>, who
discovered this vulnerability and published the information in their <A
href="http://securityresponse.symantec.com/avcenter/security/Content/2001.10.04.html">
advisory.</a> Additionally, we thank <a
href="http://www.microsoft.com">Microsoft Corporation</a>, who
published an <a
href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp">advisory</a>
on this issue.</P>

<P></P>

<HR NOSHADE>

<P>Author: <A
HREF="mailto:cert@cert.org?subject=CA-2001-28%20Feedback%20VU%23287067">Ian
A. Finlay and Shawn V. Hernan.</A>

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
October 8, 2001:  initial release
October 11,2001:  added information to systems affected section
October 15,2001:  revised systems affected section
</PRE>