Microsoft Excel Macro Security Features Can Be Bypassed by Malformed Excel Documents
SecurityTracker Alert ID: 1002486|
SecurityTracker URL: http://securitytracker.com/id/1002486
(Links to External Site)
Date: Oct 5 2001
Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Microsoft Excel 2000 for Windows, Excel 2002 for Windows, Excel 98 for Macintosh, Excel 2001 for Macintosh|
Microsoft reported that a malformed Excel document can bypass the Excel macro security features. A remote user could supply a malformed Excel spreadsheet that would cause arbitrary code to be execute on the target user's host when the file is opened.|
It is reported that there is a flaw in the way that Excel attempts to detect macros. A remote user could create a specially formated Excel document that contains malicious macro code that would run automatically when the target user opened the file.
A similar vulnerability exists in Microsoft PowerPoint. See a separate Alert for information on the PowerPoint vulnerability.
A remote user could create an Excel document that contains malicious macro code that would bypass the Excel macro security features and be executed when the recipient of the file opens the file.|
Microsoft has issued patches, which are available at the following locations:|
Download locations for this patch
Microsoft Excel 2000 for Windows:
Microsoft Excel 2002 for Windows:
Microsoft Excel 98 for Macintosh:
Microsoft Excel 2001 for Macintosh:
The vendor reports that the above listed patches can be installed on systems running Excel SR-1 or SP2 for Windows and systems running Excel for Macintosh. For information on applying and verifying patches, see the Vendor URL.
Vendor URL: www.microsoft.com/technet/security/bulletin/MS01-050.asp (Links to External Site)
Exception handling error|
MacOS, Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)|
Source Message Contents
Date: Thu, 4 Oct 2001 14:56:03 -0700|
Subject: Microsoft Security Bulletin MS01-050
The following is a Security Bulletin from the Microsoft Product Security
Please do not reply to this message, as it was sent from an unattended
-----BEGIN PGP SIGNED MESSAGE-----
Title: Malformed Excel or PowerPoint Document Can Bypass Macro
Date: 04 October 2001
Software: Microsoft Excel or PowerPoint for Windows or Macintosh
Impact: Run Code Of Attacker's Choice
Microsoft encourages customers to review the Security Bulletin at:
Excel and PowerPoint have a macro security framework that controls
the execution of macros and prevents macros from running
automatically. Under this framework, any time a user opens a
document the document is scanned for the presence of macros.
If a document contains macros, the user is notified and asked
if he wants to run the macros or the macros are disabled entirely,
depending on the security setting. A flaw exists in the way macros
are detected that can allow a malicious user to bypass macro
A malicious attacker could attempt to exploit this vulnerability
by crafting a specially formed Excel or PowerPoint document with
macro code that would run automatically when the user opened it.
The attacker could carry out this attack by hosting the malicious
file on a web site, a file share, or by sending it through email.
- The macro code could not execute without the user's
first opening the document.
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
for information on obtaining this patch.
- Peter Ferrie, Symantec Security Response
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.