SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Microsoft Office Vendors:   Microsoft
(Microsoft Issues Fix for OWC) Microsoft Office Web Components Let Remote Users Write Code to Run in the Victim's Local Security Domain and Access Local or Remote Files
SecurityTracker Alert ID:  1005102
SecurityTracker URL:  http://securitytracker.com/id/1005102
CVE Reference:   CAN2002-0860   (Links to External Site)
Date:  Aug 21 2002
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): OWC 2000, OWC 2002
Description:   GreyMagic Software has issued several advisories warning of scripting vulnerabilities in Microsoft Office due to flaws in Microsoft's Office Web Components. In this advisory, they indicate that remotely supplied HTML can cause Internet Explorer read local files.

Several vulnerabilities were reported in Microsoft's Office Web Components (OWC), which is included in Microsoft Office but is also available as a standalone viewer. OWC is reported to be a group of components marked as of 'safe for scripting' and used to enrich HTML documents with spreadsheets, charts, pivot tables and more.

A remote user can apparently exploit OWC9 and OWC10 to cause IE to ready any local or remote file via the "LoadText" method of the Range object. If the URL supplied to this method is not the same security domain as the current document, the function apparently returns an error. However, a user can reportedly bypass this restriction by using a URL that will redirect to the desired local or remote file. OWC will then interpret the URL as safe to load and will load the contents of the file into the spreadsheet, according to the advisory.

A demonstration exploit is provided in the Source Message.

The vendor has reportedly been notified.

For more information, see:

http://security.greymagic.com/adv/gm006-ie/

Impact:   A remote user can create HTML containing code that will, when loaded by the target (victim) user, run in the local user security context and be able to retrieve local or remote files.
Solution:   The vendor has released a patch.

Microsoft recommends that Office users install the Office XP SP2 update using the Office poduct Updates site:

http://office.microsoft.com/productupdates/

The general OWC patch is available at:

http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;Q322382

For Microsoft Project 2002:

http://office.microsoft.com/downloads/2002/prj1001.aspx

For Microsoft Project Server 2002:

http://office.microsoft.com/downloads/2002/ps1001en.aspx

For Office Web Components Download:

http://office.microsoft.com/downloads/2002/owc10.aspx

The general patch can reportedly be installed on the following systems:

* Microsoft BackOffice Server 2000 Gold or later
* Microsoft BizTalk Server 2000 Gold or later
* Microsoft BizTalk Server 2002 Gold or later
* Microsoft Commerce Server 2000 Gold or later
* Microsoft Commerce Server 2002 Gold or later
* Microsoft Internet Security and Acceleration Server 2000 Gold or later
* Microsoft Money 2002 or later
* Microsoft Money 2003 or later
* Microsoft Office 2000 Gold or later
* Microsoft Office XP Gold or later
* Microsoft Project Server 2002 Gold or later
* Microsoft Small Business Server 2000 Gold or later

The Microsoft Project 2002 patch can be installed on Microsoft Project 2002 Gold or later.

The Microsoft Project Server 2002 patch can be installed on Microsoft Project Server 2002 Gold or later.

Microsoft has included this fix in Office XP SP2:

http://office.microsoft.com/downloads/2002/oxpsp2.aspx

Microsoft plans to issue Knowledge Base article Q328130 regarding this issue, to be available shortly on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-044.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 9 2002 Microsoft Office Web Components Let Remote Users Write Code to Run in the Victim's Local Security Domain and Access Local or Remote Files



 Source Message Contents

Subject:  Microsoft Security Bulletin MS02-044 : Unsafe Functions in Office Web Components (Q328130)


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unsafe Functions in Office Web Components (Q328130)
Date:       21 August 2002
Software:   Office Web Components, Office, BackOffice Server,
            BizTalk Server, Commerce Server, ISA Server, Money,
            Microsoft Project, Microsoft Project Server
            Small Business Server
Impact:     Three vulnerabilities, the most serious of which could
            allow an attacker to run commands on the user's system.
Max Risk:   Critical
Bulletin:   MS02-044

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-044.asp.
- ----------------------------------------------------------------------

Issue:
======
The Office Web Components (OWC) contain several ActiveX controls
that give users limited functionality of Microsoft Office in a web
browser without requiring that the user install the full
Microsoft Office application. This allows users to utilize
Microsoft Office applications in situations where installation
of the full application is infeasible or undesirable. 

The control contains three security vulnerabilities, each of
which could be exploited either via a web site or an HTML mail.
The vulnerabilities result because of implementation errors
in the following methods and functions the controls expose: 

 - Host(). This function, by design, provides the caller with
   access to applications' object models on the user's system.
   By using the Host() function, an attacker could, for instance,
   open an Office application on the user's system and invoke
   commands there that would execute operating system commands
   as the user. 

 - LoadText(). This method allows a web page to load text into a
   browser window. The method does check that the source of the
   text is in the same domain as the window, and in theory should
   restrict the page to only loading text that it hosts itself.
   However, it is possible to circumvent this restriction by
   specifying a text source located within the web page's domain,
   and then setting up a server-side redirect of that text to a
   file on the user's system. This would provide an attacker with
   a way to read any desired file on the user's system. 

 - Copy()/Paste(). These methods allow text to be copied and pasted.
   A security vulnerability results because the method does not
   respect the "disallow paste via script" security setting in IE.
   Thus, even if this setting had been selected, a web page could
   continue to access the copy buffer, and read any text that the
   user had copied or cut from within other applications. 

The patch does not set "kill bit" on the control, for reasons
discussed in the FAQ.

Mitigating Factors:
====================
Overall: 

 - In the case of the web-based attack, an attacker would need
   to force a user to visit the attacker's Web site. Users who
   exercise caution in visiting web sites could minimize their
   risk. 

 - In the web based attack, If ActiveX controls have been
   disabled in the zone in which the page were viewed, the
   vulnerability could not be exploited. Users who place
   untrusted sites in the Restricted Sites zone, which disables
   ActiveX by default, or have disabled ActiveX controls in the
   Internet zone could minimize their risk. 

 - In the case of HTML email based attacks, customers who read
   email in the Restricted Sites zone would be protected against
   attempts to exploit this vulnerability. Customers using
   Outlook 2002 and Outlook Express 6.0, as well as
   Outlook 2000 and Outlook 98 customers who have applied the
   Outlook Email Security Update would thus be protected by
   default. Also, Outlook Express 5.0 customers who have chosen
   to read mail in the Restricted Sites zone would be protected
   by default. 

 - In the HTML email based attack, Outlook 2002 customers who
   have enabled the "Read as Plain Text" option available in
   SP1 or later would also be protected.
 
Host() Vulnerability: 

 - The attacker's code would be limited by restrictions on the
   user's account. Users of non-privileged accounts would limit
   the potential damage from a successful attack. 

LoadText(): 

 - The attacker would need to know the full path and name of the
   file. In addition the file would have to be viewable in a
   web browser. 

Copy()/Paste(): 

 - The vulnerability could enable an attacker to access only to
   information in the Windows clipboard. The information in the
   clipboard is unpredictable and this vulnerability gives no
   means for an attacker to target and retrieve specific
   information. Further, it is possible for the clipboard to
   be empty, which would yield an attacker nothing. 

 - The security setting in question is not enabled by default.
   Thus, the vulnerability does not present a threat to the 
   default installation.

Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-044.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPWQCJY0ZSRQxA/UrAQFpQgf/b6ZAeKBalHWcYe23OwlytG8EyV61G5WM
alse7ecupinAyF7r6VRu4k88lONvGkQR8KrRVrm9rLcx5wxkMpPs5vgqSmtO0aQy
9w0l4YXU0EWkP3qFl2FhxiC3r9QVfmBxeV4pmQvHRs0B/NL2bxsVarUxxPoVMP18
6UJoigEi0ykmVqezhQukxKjgRLAxhy/t3d0nWLbWTN6uEVgXXW6Sk3JP1EyUf10m
pQUCf+T8ZtKpkNutRsGwVgR7z1Iva6soXjbCymDmD6rZ7uwb04K3bZgc04fAHmv3
BJY9+xV/upFz5Qy5szdMXHiSPBXeZ7XNmmjRKNLGPn3VGQnZ4JTz5w==
=XDjy
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Send an email to unsubscribe to the Service by following these steps: 
a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to process the subscription request,
 and can be anything you like. 
b. Send the e-mail. 
c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK"
 in the message body. (Without the quotes). Send the reply. 
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC