View Source

Original release date: May 24, 2000<BR>
Last revised: May 26, 2000<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<A NAME="affected"/>
<H3>Systems Affected</H3>

<UL>
<LI>Systems with Internet Explorer and Microsoft Office 2000
components, including</LI>
<UL>
<LI>Word 2000
<LI>Excel 2000
<LI>PowerPoint 2000
<LI>Access 2000
<LI>Photodraw 2000
<LI>FrontPage 2000
<LI>Project 2000
<LI>Outlook 2000
<LI>Publisher 2000
<LI>Works 2000 Suite
</UL>
</UL>

<A NAME="overview"/>
<H2>Overview</H2>

<P>The Microsoft Office 2000 UA ActiveX control is incorrectly marked
as "safe for scripting".  This vulnerability may allow an intruder to
disable macro warnings in Office products and, subsequently, execute
arbitrary code.  This vulnerability may be exploited by viewing an
HTML document via a web page, newsgroup posting, or email message.

<A NAME="description"/>
<H2>I. Description</H2>

<P>Microsoft and L0pht Research Labs have recently published
advisories describing a vulnerability in the Microsoft Office 2000 UA
ActiveX control.  Due to the severity of this vulnerability, we are
issuing a CERT advisory to help reach as broad an audience as
possible.

<H4>ActiveX Overview</H4>

<P>ActiveX controls are highly portable Component Object Model (COM)
objects, used extensively throughout Microsoft Windows platforms, and
especially in web-based applications.  COM objects, including ActiveX
controls, can invoke each other through interfaces defined by the COM
architecture.  The COM architecture allows for interoperability among
binary software components produced in disparate ways.

<P>ActiveX controls can also be invoked from web pages through the use
of a scripting language or directly with an OBJECT tag. If an ActiveX
control is not installed locally, it is possible to specify a URL
where the control can be obtained.  Once obtained, the control
installs itself automatically if permitted by the browser.  Once it is
installed, it can be invoked without the need to be downloaded again.

<P>ActiveX controls can be signed or unsigned.  A signed control
provides a high degree of verification that the control was produced
by the signer and has not been modified.  Signing does not guarantee
the benevolence, trustworthiness, or competence of the signer; it only
provides assurance that the control originated from the signer.

<P>ActiveX controls are binary code capable of taking any action that
the user can take.  They do not run in a "sandbox" of any kind.
Because of this, it is important to have a high degree of trust in the
author of the control.  The CERT/CC recommends against installing any
unsigned controls.

<P>Controls can also be marked as "safe for scripting" indicating that
it is permissible to invoke the control from a script contained in a
web page, using data and parameters provided by that page.  In
essence, a control marked "safe for scripting" is an assertion by the
author that the control has implemented its own "sandbox" and cannot
be used by an intruder to damage or compromise your system.  Because
you must rely on the author of the control to implement this "sandbox"
correctly, controls marked as "safe for scripting" require an
especially high degree of trust.

<P>ActiveX controls are managed by the Windows registry, and it is
cumbersome to audit them or examine their properties without the use
of a specialized tool.  One such tool is the OLE/COM Object Viewer
(oleview.exe) included with the Windows NT Resource Kit.  More
information on oleview is available at

<DL>
<DD><A HREF="http://www.microsoft.com/Com/resources/oleview.asp">
http://www.microsoft.com/Com/resources/oleview.asp</A></DD>
</DL>

<P>More information about ActiveX and COM can be found at

<DL>
<DD><A HREF="http://www.microsoft.com/com">
http://www.microsoft.com/com</A></DD>
</DL>

<H4>The Microsoft Office 2000 UA ActiveX Control</H4>

<P>The UA ActiveX control implements the "Show Me" feature of the
interactive help system. Because the control is incorrectly marked
"safe for scripting", a malicious web author may use the UA ActiveX
control to script interactions that result in reduced security, such
as activating the dialog box for "Macro Security Setting" and
selecting the least secure choice.  The control is correctly signed by
Microsoft.

<H4>Other Advisories and Information</H4>

<P>L0pht Research Labs and @Stake Inc. published an advisory
describing this vulnerability.  They also produced a proof-of-concept
exploit.  These documents are available from the L0pht web site:

<DL>
<DD><A HREF="http://www.l0pht.com/advisories/msoua.txt">
http://www.l0pht.com/advisories/msoua.txt</A></DD>
</DL>

<P>Microsoft has published a security bulletin, an FAQ, and a
knowledgebase article describing this vulnerability.  These documents
are available from Microsoft's web site:

<DL>
<DD><A HREF="http://microsoft.com/technet/security/bulletin/ms00-034.asp">
http://microsoft.com/technet/security/bulletin/ms00-034.asp</A></DD>
<DD><A HREF="http://microsoft.com/technet/security/bulletin/fq00-034.asp">
http://microsoft.com/technet/security/bulletin/fq00-034.asp</A></DD>
<DD><A HREF="http://microsoft.com/technet/support/kb.asp?ID=262767">
http://microsoft.com/technet/support/kb.asp?ID=262767</A></DD>
</DL>

<A NAME="impact"/>
<H2>II. Impact</H2>

<P>The Office 2000 UA control is able to perform a wide variety of
actions within the Microsoft Office Product Suite, including

<UL>
<LI>Launch Internet Explorer
<LI>Launch Microsoft Outlook
<LI>Launch Microsoft Visual Basic
<LI>Disable macro virus protection
<LI>Save files
</UL>

<P>Perhaps the most significant impact is the ability to set Macro
Virus Protection to "Low", disabling warnings about malicious macro
activity in future documents. An intruder can exploit this
vulnerability to disable these warnings and then link directly to
another Office document that contains malicious macros. The macros
in the second document will run without confirmation and may take
essentially any action desired by the intruder.

<P>Calls to the vulnerable control may originate in script or OBJECT
tags in web pages, newsgroup postings, or email messages.

<P>As suggested by L0pht, this virus could be incorporated into an
electronic mail virus such as LoveLetter or Melissa. Note that
exploitation of this vulnerability under the default configuration of
Internet Explorer 5 and Microsoft Outlook 2000 does not require the
user to open any attachments or confirm any warning dialogs.

<A NAME="solution"/>
<H2>III. Solution</H2>

<H4>Apply a patch</H4>

<P>Microsoft has produced a patch to correct this vulnerability.  The
patch installs a new version of the control lacking the dangerous
functionality. The new version is also marked "safe for scripting".

<P>As a result of the removed functionality, the "Show Me" and
"pop-up" features of Office help will no longer function.

<P>The patch is available through Office Update at

<DL>
<DD><A HREF="http://officeupdate.microsoft.com/info/ocx.htm">
http://officeupdate.microsoft.com/info/ocx.htm</A></DD>
</DL>

<H4>Limit Exposure to Vulnerability via Email</H4>

<P>Since many e-mail applications provide the ability to start your
web browser automatically, you may wish to reduce your exposure via
mail messages by disabling scripting languages in your email client.

<H5>The Restricted Zone and Active Scripting</H5>

<P>Microsoft suggests in their advisory to configure Outlook to view
mail in the Restricted Zone.  While this is certainly good advice, it
is not sufficient to protect you from exploitation of this
vulnerability if the patch for the Office 2000 UA control has not been
applied.

<P>Because the Restricted Zone still allows the execution of scripts,
an intruder can send you an email message which when viewed starts
Internet Explorer and immediately exploits the vulnerability.  To
protect against this scenario, and others like it, you may wish to
disable Active Scripting in the Restricted Zone.

<P>Instructions for changing Outlook to use the Restricted Zone are
available in Microsoft's FAQ on this topic.  Instructions for
disabling Active Scripting in the Restricted Zone are similar to those
at

<DL>
<DD><A HREF="http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps">
http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps</A></DD>
</DL>

<P>Note that these changes may result in reduced functionality in
Internet Explorer and Outlook.

<H5>Microsoft Outlook Security Update</H5>

<P>Installing the Microsoft Outlook 2000 E-Mail Security Update will
modify Outlook to use the Restricted Zone as suggested previously.
It also limits which attachment file types are displayed in Outlook
messages, and adds new prompts for accessing the address book or
sending email messages.  While none of these changes will protect you
completely from the Office 2000 UA vulnerability described in this
advisory, the update may significantly reduce the chance of the
vulnerability being exploited successfully on your system by a worm
propagating via Outlook.

<P>More information about the Outlook 2000 E-Mail Security Update is
available from

<DL>
<DD><A HREF="http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm">
http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm</A></DD>
</DL>

<H5>Other Email Clients</H5>

<P>If you use Internet Explorer as your web browser, you may wish to
disable JavaScript or other scripting languages in your email client
to prevent an email message from starting IE and exploiting this
vulnerability.

<A NAME="vendors"/>
<H2>Appendix A. Vendor Information</H2>

<A NAME="microsoft">
<H4>Microsoft Corporation</H4>

<P>Microsoft has published a security bulletin, an FAQ, and a
knowledgebase article describing this vulnerability.  These documents
are available from Microsoft's web site:

<DL>
<DD><A HREF="http://microsoft.com/technet/security/bulletin/ms00-034.asp">
http://microsoft.com/technet/security/bulletin/ms00-034.asp</A></DD>
<DD><A HREF="http://microsoft.com/technet/security/bulletin/fq00-034.asp">
http://microsoft.com/technet/security/bulletin/fq00-034.asp</A></DD>
<DD><A HREF="http://microsoft.com/technet/support/kb.asp?ID=262767">
http://microsoft.com/technet/support/kb.asp?ID=262767</A></DD>
</DL>


<HR NOSHADE>

<P>The CERT Coordination Center thanks L0pht Research Labs and @Stake
for initially discovering and reporting this vulnerability.  We also
thank the Microsoft Security Team for their assistance in preparing
this advisory.</P>

<P></P>

<HR NOSHADE>

<P>Cory Cohen and Shawn Hernan were the primary authors of this
document.

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2000 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
May 24, 2000: Initial release
May 24, 2000: Corrected an error regarding the "kill" bit. The patch
from Microsoft does not set the kill bit as we originally reported.
May 26, 2000: Corrected minor typo
</PRE>