TechNet Home > Security > Bulletins
Microsoft Security Bulletin MS02-031
[Print] Print
Cumulative Patches for Excel and Word for Windows (Q324458)
Originally posted: June 19, 2002
Summary
Who should read this bulletin: Customers using Microsoft® Excel for Windows®
or Microsoft Word for Windows.
Impact of vulnerability: Run code of attacker's choice.
Maximum Severity Rating: Moderate
Recommendation: Customers should apply the patches.
Affected Software:
* Microsoft Excel 2000 for Windows
* Microsoft Office 2000 for Windows
* Microsoft Excel 2002 for Windows
* Microsoft Word 2002 for Windows
* Microsoft Office XP for Windows
Technical details
Technical description:
This is a set of cumulative patches that, when applied, applies all
previously released fixes for these products.
In addition, these patches eliminate four newly discovered vulnerabilities
all of which could enable an attacker to run Macro code on a user's machine.
The attacker's macro code could take any actions on the system that the user
was able to.
* An Excel macro execution vulnerability that relates to how inline macros
that are associated with objects are handled. This vulnerability could
enable macros to execute and bypass the Macro Security Model when the
user clicked on an object in a workbook.
* An Excel macro execution vulnerability that relates to how macros are
handled in workbooks when those workbooks are opened via a hyperlink on
a drawing shape. It is possible for macros in a workbook so invoked to
run automatically.
* An HTML script execution vulnerability that can occur when an Excel
workbook with an XSL Stylesheet that contains HTML scripting is opened.
The script within the XSL stylesheet could be run in the local computer
zone.
* A new variant of the "Word Mail Merge" vulnerability first addressed in
MS00-071. This new variant could enable an attacker's macro code to run
automatically if the user had Microsoft Access present on the system and
chose to open a mail merge document that had been saved in HTML format.
Mitigating factors:
Excel Inline Macros Vulnerability:
* A successful attack exploiting this vulnerability would require that the
user accept and open a workbook from an attacker and then click on an
object within the workbook.
Hyperlinked Excel Workbook Macro Bypass:
* A successful attempt to exploit this vulnerability would require that
the user accept and open an attacker's workbook and click on a drawing
shape with a hyperlink.
* An attacker's destination workbook would have to be accessible to the
user, either on the local system on an accessible network location.
Excel XSL Stylesheet Script Execution:
* A user would have to accept and open an attacker's workbook to exploit
this vulnerability.
* In addition, the user would have to acknowledge a security warning by
selecting the non-default option.
Variant of MS00-071, Word Mail Merge Vulnerability:
* The Word mail merge document would have to be saved in HTML format. As
Word is not the default handler for HTML applications, the user would
have to choose to open the document in Word, or acknowledge a security
warning.
* A successful attack requires that Access be installed locally.
* The attacker's data source has to be accessible to the user across a
network.
Severity Rating:
Excel Inline Macros Vulnerability:
Internet Servers Intranet Servers Client Systems
Excel 2000 Low Low Moderate
Excel 2002 Low Low Moderate
Hyperlinked Excel Workbook Macro Bypass:
Internet Servers Intranet Servers Client Systems
Excel 2000 Low Low Low
Excel 2002 Low Low Low
Excel XSL Stylesheet Script Execution:
Internet Servers Intranet Servers Client Systems
Excel 2000 Low Low Moderate
Excel 2002 Low Low Moderate
Variant of MS00-071, Word Mail Merge Vulnerability:
Internet Servers Intranet Servers Client Systems
Word 2002 Low Low Moderate
Aggregate Severity of all vulnerabilities addressed by this patch
(including issues addressed in previously released patches):
Internet Servers Intranet Servers Client Systems
Excel 2000 Low Low Moderate
Excel 2002 Low Low Moderate
Word 2002 Low Low Moderate
The above assessment is based on the types of systems affected by
the vulnerability, their typical deployment patterns, and the
effect that exploiting the vulnerability would have on them. Word
and Excel are primarily intended for use on client systems. All
vulnerabilities require some degree of user interaction for a
successful attack. The Hyperlinked Excel Workbook Macro Bypass
requires that an attacker make a malicious workbook available
either locally or on the network, in addition to enticing the user
to accept a different workbook and click on a hyperlinked shape
within it.
Vulnerability identifiers:
+ Excel Inline Macros Vulnerability:CAN-2002-0616
+ Hyperlinked Excel Workbook Macro Bypass: CAN-2002-0617
+ Excel XSL Stylesheet Script Execution: : CAN-2002-0618
+ Variant of MS00-071, Word Mail Merge Vulnerability:
CAN-2002-0619
Tested Versions:
Microsoft tested Excel 2000, Excel 2002, Word 2000, and Word
2002 to assess whether they are affected by these
vulnerabilities. Previous versions are no longer supported,
and may or may not be affected by these vulnerabilities.
Frequently asked questions
What vulnerabilities are eliminated by this patch?
This is a cumulative patch that, when applied, address all
previously addressed vulnerabilities. In addition, it
eliminates four new vulnerabilities:
+ A macro execution vulnerability in Excel that results
from a flaw in how Excel handles inline Macros.
+ A macro execution vulnerability in Excel that results
from a flaw in how macros in external workbooks are
handled when opened by a hyperlink on a drawing shape
within a workbook.
+ A script execution vulnerability related to how Excel
processes workbooks that contain XSL style
+ A variant of the "Word Mail Merge" vulnerability first
addressed in MS00-071.
Excel Inline Macros Vulnerability: (CAN-2002-0616):
What’s the scope of the first vulnerability?
This vulnerability could enable an attacker to cause macros
contained within an Excel workbook to execute outside of the
constraints of the macro security settings. Because macros by
design can take any action that a user can take, this
vulnerability has the net effect of enabling an attacker to
take the same actions on the system that the user is capable
of including adding, changing or deleting data, communicating
with web sites, or changing security settings, including the
macro security settings.
An attacker could not automate an attack using this
vulnerability: the user would have to be enticed into taking
an action after opening the attacker's workbook. In addition,
any constraints that limit the user's actions would also
inhibit the attacker's macros.
What causes the vulnerability?
The vulnerability results because of a flaw in how Excel
handles specially formatted inline macros that are attached to
objects within a workbook. It's possible to assign a macro to
an object in such a way that the Macro Security Model fails to
correctly recognize it as a macro. As a consequence, when the
object is activated and the macro is called, the Macro
Security Model is bypassed, and the macro runs with no
security restrictions.
In addition to the cells that are usually associated with a
spreadsheet, Excel provides support for objects within
workbooks. There are many objects that Excel makes available,
but some commonly known objects include drawing objects, such
as charts and graphs, command buttons, and menu buttons, among
others.
These objects make available a variety of functions and
capabilities, based on their type, but in general they help
expand the capabilities of Excel from being a simple
spreadsheet program to a full fledged application development
environment.
What are inline macros?
To support the expanded functionality that objects provide,
one of the capabilities that all objects in Excel support is
the ability to assign a macro to an object. This macro can
then provide any code-based functionality to the object that
the user or developer wants to add.
For example, suppose that a user has developed a spreadsheet
for calculating mortgage rates and the user wants to be able
to recalculate rates. The user can add a command button to the
spreadsheet and then assign a macro that performs the desired
calculations to that object. The user can then click on the
command button to run the macro assigned to it and thus
recalculate the mortgage rates.
By design, macros that are assigned to an object can be stored
in a macro code module. However, in the case of this
vulnerability it can be entered directly into the object's
properties. In this case the macro is referred to as an
"inline macro" because the macro code is actually stored
inline with the object's properties.
What is the Office Macro Security Model?
Macros are, in essence, small programs. As with programs, it
is possible for malicious users to create hostile macros that
seek to cause harm or disruption to the system by taking
actions such as deleting files, changing security settings, or
altering data in files. To help protect against hostile
macros, members of the Office family support a Macro Security
Model that helps users ensure that only safe, authorized
macros are run while unsafe, untrusted macros are disabled.
What's wrong with how Excel handles inline macros attached to
objects?
There is a flaw in how the Macro Security Model detects the
presences of inline macros within Excel objects. Specifically,
the Macro Security Model fails to correctly detect the macro.
What could this vulnerability enable an attacker to do?
Because the flaw causes the Macro Security Model to fail to
detect the presence of a macro, this flaw can provide a means
by which an attacker could bypass the Macro Security Model
entirely. As a result, the attacker could make macro code run
that would otherwise be disabled.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by
crafting an Excel workbook and inserting an object into the
workbook. The attacker would then assign an inline macro to
the object. The attacker would have to entice the user to open
the malicious workbook and then activate the object by
clicking on it. However, the attacker could take steps to
obscure the object in such a way that the user may not
recognize the presence of an object and inadvertently activate
the object simply by clicking on the spreadsheet itself.
What does the patch do?
The patch eliminates the vulnerability by disabling all inline
macros in the Medium and High security settings.
Does this mean that inline macros are still enabled in the Low
Security Setting?
Yes. However, the Low security setting provides no protections
against hostile macros. As a result, in this security setting,
there is no vulnerability, since no protections are bypassed.
Hyperlinked Excel Workbook Macro Bypass (CAN-2002-0617):
What’s the scope of the second vulnerability?
This is an Excel macro execution vulnerability. An attacker
who was able to successfully exploit this vulnerability could
cause macros contained within an Excel workbook to execute
outside of the constraints of the macro security settings.
An attacker could not automate an attack using this
vulnerability: the user would have to be enticed into taking
an action after opening the attacker's workbook. In addition,
any constraints that limit the user's actions would also
inhibit the attacker's macros.
What causes the vulnerability?
The vulnerability results because of a flaw in how Excel
macros in a workbook are handled when that workbook is opened
through a hyperlink that is associated with a drawing shape in
another workbook.
When the destination workbook is opened, the Macro Security
Model does not detect the presence of macros in the target
workbook. As a result, any autoexecute macros in the
destination workbook would run as soon as that workbook was
opened, without any security constraints.
What are drawing shapes?
As noted above, Excel provides a number of different objects
that can be inserted into workbooks. One particular type of
object that Excel supports are drawing shapes. Drawing shapes
are graphical objects such as circles, squares, rectangles, or
freeform shapes that can be inserted into a workbook.
How do drawing shapes support hyperlinks?
In the same way that objects support macros as an assigned
property, they also support hyperlinks. This means that a
drawing shape can be made into a hyperlink that will take
action when the shape is activated.
For example, suppose a user has created a circle on a page in
a workbook and they want users to be able to bring up a web
site's home page by clicking on that shape. The user can set
the hyperlink property of the shape to the web page in
question. When user then clicks on the shape, the hyperlink is
invoked and the web page opened.
Because hyperlinks can point to any file type, hyperlinks can
also be used to point to Excel workbooks. Using the example
above, it's also possible to have a circle point to an Excel
workbook. When the user would click on the shape with the
hyperlink, the destination workbook would be opened.
What's wrong with how Excel handles workbooks that are opened
through a hyperlink associated with a drawing shape?
In this particular sequence of events, Excel fails to properly
invoke the Macro Security Model when the destination workbook
is opened. As a result, the Macro Security Model is bypassed
entirely allowing any autoexecute macros to run automatically,
with no warning.
It's important to note that this flaw occurs only in
conjunction with this sequence of events.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run macro code
when the user thought that code would be blocked by the Macro
Security Model.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by
creating two workbooks, a source workbook and a destination
workbook. The attacker would create a hyperlink on a shape in
the source workbook that points to the destination workbook.
In the destination workbook, the attacker could create an
autoexecute macro. The attacker would then have to ensure that
the destination workbook was accessible to the user in some
way, by giving it to the user or posting on a network share or
a web site.
The attacker would then have to send the source workbook to
the intended victim and entice the victim to open the
workbook, and click on the hyperlinked shape. As long as the
destination workbook was accessible, the destination workbook
would be opened, and the macro code would execute.
What does the patch do? The patch eliminates the vulnerability
by ensuring that the Macro Security Model is invoked when a
workbook is opened through a hyperlink associated with a
drawing shape.
Excel XSL Stylesheet Script Execution: (CAN-2002-0618):
What’s the scope of the third vulnerability?
This vulnerability could enable an attacker to cause HTML
scripts to execute as if they were run locally on the user's
system. The scripts could take any action that the user was
capable of, including adding, changing or deleting files or
changing security settings.
An attacker seeking to exploit this vulnerability would have
to convince the intended target to open a file. There is no
way to mount an automated attack against this vulnerability;
in all cases there is user interaction required to mount a
successful attack.
Any limitations on a user's ability to make changes to the
system would also limit the attacker's script. For example, if
a user were prohibited from deleting information on the local
system, the attacker's script would be similarly restricted.
What causes the vulnerability?
The vulnerability results because of a flaw in how XSL
Stylesheets within Excel workbooks are handled under the
Macros Security Model. The Macro Security Model fails to
correctly detect the presence of HTML scripting when contained
within an Excel workbook that contains an XSL stylesheet.
What is XSL?
XSL (eXtensible Stylesheet Language) is a language that
provides a means to sort and manipulate XML data. It can be
thought of as a query language for XML data. For example,
suppose you have customer data in XML format that is ordered
by last name and you want to sort it by customer ID. You would
use XSL to define the sorting rule for this data.
What is an XSL stylesheet?
Where XSL is the language that is used for manipulating XML
data, an XSL stylesheet is what actually contains the XSL. An
XSL stylesheet therefore is a document that contains
instructions in XSL. This file then can be "applied" by any
application that supports XSL.
What is XML?
XML (Extensible Markup Language) is an industry-standard
format for storing data that facilitates data transfer across
the Internet. XML provides a common means for structuring data
so that multiple applications can recognize it. Using the
example above, XML can be used to structure customer data and
meta-data so that any application that supports XML could
correctly identify the structure of the data, such as the
customer ID and last name, and the data itself.
What's wrong with how XSL stylesheets are handled within
Excel? There is a flaw in how the Macro Security Model handles
script within XSL Stylesheets that are contained in an Excel
workbook. Specifically, it fails to correctly detect the
presence of script and block its execution.
What could this vulnerability enable an attacker to do?
This vulnerability could allow an attacker to run HTML scripts
on the local system as if the user had elected to run them.
This means that the script would run in the Local Computer
zone. Since the Local Computer zone is intended for scripts
run directly by the user, scripts run in this zone can take
actions similar to those that a user can take directly. For
example, a script in the local computer zone could add,
change, or delete the same files that a user could.
Conversely, any restrictions on the user's ability to make
changes to the local system would also limit that attacker's
script. This means that if a user were prevented from changing
a file due to permissions on the local file system, the
attacker's script would be similarly prevented from making
changes.
How could an attacker exploit this vulnerability?
An attacker would most likely seek to exploit this
vulnerability by creating an Excel workbook that has an XSL
stylesheet that contains HTML script within it. The attacker
would have to entice the user to accept the file by either
offering it for download or sending it as an attachment in
email. When the user opened the file, a prompt would be raised
asking if he wanted to apply the XSL stylesheet. The user
would have to agree to apply the stylesheet by clicking "yes",
which is not the default. At that point, the stylesheet would
be applied and the attacker's script would run. Alternately,
if the file were set to autorefresh its query, the XSL could
be updated and the script run after the refresh.
Is there any way for an attacker to mount an automated attack
using this vulnerability?
No. In all cases, attempts to exploit this vulnerability would
require user interaction. There is no way for an attacker to
automate an attack against this vulnerability.
What does the patch do?
The patch eliminates the vulnerability by ensuring that the
Macros Security Model is applied when Excel opens workbooks
that contains XSL stylesheets. The specific result of applying
the patch will depend on the security setting of the Macro
Security Model.
Variant of MS00-071, Word Mail Merge Vulnerability:
(CAN-2002-0619)
What’s the scope of the fourth vulnerability?
This vulnerability is a new variant of the "Word Mail Merge"
vulnerability first discussed in Microsoft Security Bulletin
MS00-071 This vulnerability could allow an attacker to run
code on a user's system.
What is the "Word Mail Merge" Vulnerability?
In a nutshell, this is a vulnerability that could enable an
attacker to run VBA Code in Access unexpectedly when the user
opens a Mail Merge document in Word. In the case of this
particular variant, however, the Mail Merge document needs to
be saved in HTML format.
Where can I get more information on the "Word Mail Merge"
vulnerability?
Microsoft Security Bulletin MS00-071 discusses this
vulnerability in detail.
Are there any differences between this variant and the
original issue?
Unlike the original issue, this variant requires that the Word
document in question be saved in HTML format and that the
document then be opened in Word.
In addition, the mitigating factors for this variant are
different from the original issue. If the HTML document were
opened in anything other than Word, the attempt to exploit the
vulnerability would fail. In addition, a successful attack
requires that Access be installed on the user's system. If
Access is not installed, the attack would fail.
What causes the vulnerability?
The vulnerability results because the original fix for this
issue fails to correctly differentiate a remote Access data
source when the Word Mail Merge document is an HTML document.
As a result, remote data sources are treated in an identical
manner as local data sources.
If this variant requires that the Word document is in HTML
format, can an attacker mount an automated attack from a web
page or HTML email?
No. In all cases, the user must first choose to open the
document using Word, either by acknowledging a file download
dialogue box, or by choosing to open Word manually. There is
no way for an attacker to levy an automated attack against
this vulnerability.
How does the patch eliminate this vulnerability?
The patch eliminates the vulnerability by ensuring that Word
correctly differentiates between remote and local data sources
and handles them in a manner commensurate with their location.
Does this patch eliminate the original issue as well as the
new one?
Yes. It eliminates all known variants.
Patch availability
Download locations for this patch
+ Office Product Updates site:
http://office.microsoft.com/productupdates/default.aspx
+ Microsoft Excel 2000 for Windows:
+ Client Installation:
http://office.microsoft.com/downloads/2000/exc0901.aspx
+ Administrative Installation:
http://www.microsoft.com/office/ork/xp/journ/exc0901a.htm
+ Microsoft Excel 2002 for Windows:
+ Client Installation:
http://office.microsoft.com/downloads/2002/exc1002.aspx
+ Administrative Installation:
http://www.microsoft.com/office/ork/xp/journ/exc1002a.htm
+ Microsoft Word 2002:
+ Client Installation:
http://office.microsoft.com/downloads/2002/wrd1004.aspx
+ Administrative Installation:
http://www.microsoft.com/office/ork/xp/journ/wrd1004a.htm
Additional information about this patch
Installation platforms:
This patch can be installed on systems running:
+ Microsoft Office 2000 SR-1a or Service Pack 2
+ Microsoft Office XP Service Pack 1
Inclusion in future service packs:
The fix for these issues will be included in any future
service packs released for Office 2000 and Office XP.
Reboot needed: No
Superseded patches:
+ The Excel patch supercedes MS01-050.
+ The Word patch supercedes MS02-021.
Verifying patch installation:
+ Excel 2000 for Windows:
Verify that the version number of excel.exe is 9.0.6508.
+ Excel 2002 for Windows:
Verify that the version number of excel.exe is
10.0.4109.0.
+ Word 2002 for Windows:
Verify that the version number of winword.exe is
10.0.4109.
Caveats:
None
Localization:
The patches provided above are appropriate for use on any
language version.
Obtaining other security patches:
Patches for other security issues are available from the
following locations:
+ Security patches are available from the Microsoft
Download Center, and can be most easily found by doing a
keyword search for "security_patch".
+ Patches for consumer platforms are available from the
WindowsUpdate web site
+ All patches available via WindowsUpdate also are
available in a redistributable form from the
WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks the following people for working with us to
protect customers:
+ Darryl Higa for reporting the Excel Inline Macros and
Hyperlinked Excel Workbook Macro Bypass vulnerabilities.
+ The dH team and SECURITY.NNOV team for reporting the
variant of MS00-071.
Support:
+ Microsoft Knowledge Base article Q324458 discusses this
issue and will be available approximately 24 hours after
the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.
+ Technical support is available from Microsoft Product
Support Services. There is no charge for support calls
associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site
provides additional information about security in Microsoft
products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is
provided "as is" without warranty of any kind. Microsoft
disclaims all warranties, either express or implied, including
the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or
its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
+ V1.0 (June 19, 2002): Bulletin Created.
+ V1.1 (June 25, 2002): Bulletin corrected to reflect that
Office 2000 patches can install on SR-1a.
Contact Us | E-mail this Page | TechNet Newsletter
© 2002 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility