TechNet Home >  Security >  Bulletins

   Microsoft Security Bulletin MS02-031
                                                                          [Print] Print

  Cumulative Patches for Excel and Word for Windows (Q324458)

  Originally posted: June 19, 2002

  Summary

       Who should read this bulletin: Customers using Microsoft® Excel for Windows®
       or Microsoft Word for Windows.

       Impact of vulnerability: Run code of attacker's choice.

       Maximum Severity Rating: Moderate

       Recommendation: Customers should apply the patches.

       Affected Software:

          * Microsoft Excel 2000 for Windows
          * Microsoft Office 2000 for Windows
          * Microsoft Excel 2002 for Windows
          * Microsoft Word 2002 for Windows
          * Microsoft Office XP for Windows

  Technical details

       Technical description:

       This is a set of cumulative patches that, when applied, applies all
       previously released fixes for these products.

       In addition, these patches eliminate four newly discovered vulnerabilities
       all of which could enable an attacker to run Macro code on a user's machine.
       The attacker's macro code could take any actions on the system that the user
       was able to.

          * An Excel macro execution vulnerability that relates to how inline macros
            that are associated with objects are handled. This vulnerability could
            enable macros to execute and bypass the Macro Security Model when the
            user clicked on an object in a workbook.
          * An Excel macro execution vulnerability that relates to how macros are
            handled in workbooks when those workbooks are opened via a hyperlink on
            a drawing shape. It is possible for macros in a workbook so invoked to
            run automatically.
          * An HTML script execution vulnerability that can occur when an Excel
            workbook with an XSL Stylesheet that contains HTML scripting is opened.
            The script within the XSL stylesheet could be run in the local computer
            zone.
          * A new variant of the "Word Mail Merge" vulnerability first addressed in
            MS00-071. This new variant could enable an attacker's macro code to run
            automatically if the user had Microsoft Access present on the system and
            chose to open a mail merge document that had been saved in HTML format.

       Mitigating factors:

       Excel Inline Macros Vulnerability:

          * A successful attack exploiting this vulnerability would require that the
            user accept and open a workbook from an attacker and then click on an
            object within the workbook.

       Hyperlinked Excel Workbook Macro Bypass:

          * A successful attempt to exploit this vulnerability would require that
            the user accept and open an attacker's workbook and click on a drawing
            shape with a hyperlink.
          * An attacker's destination workbook would have to be accessible to the
            user, either on the local system on an accessible network location.

       Excel XSL Stylesheet Script Execution:

          * A user would have to accept and open an attacker's workbook to exploit
            this vulnerability.
          * In addition, the user would have to acknowledge a security warning by
            selecting the non-default option.

       Variant of MS00-071, Word Mail Merge Vulnerability:

          * The Word mail merge document would have to be saved in HTML format. As
            Word is not the default handler for HTML applications, the user would
            have to choose to open the document in Word, or acknowledge a security
            warning.
          * A successful attack requires that Access be installed locally.
          * The attacker's data source has to be accessible to the user across a
            network.

                 Severity Rating:
                 Excel Inline Macros Vulnerability:
                             Internet Servers  Intranet Servers Client Systems

                  Excel 2000 Low               Low              Moderate

                  Excel 2002 Low               Low              Moderate

                 Hyperlinked Excel Workbook Macro Bypass:
                             Internet Servers  Intranet Servers Client Systems

                  Excel 2000 Low               Low              Low

                  Excel 2002 Low               Low              Low

                 Excel XSL Stylesheet Script Execution:
                             Internet Servers  Intranet Servers Client Systems

                  Excel 2000 Low               Low              Moderate

                  Excel 2002 Low               Low              Moderate

                 Variant of MS00-071, Word Mail Merge Vulnerability:
                            Internet Servers  Intranet Servers Client Systems

                  Word 2002 Low               Low              Moderate

                 Aggregate Severity of all vulnerabilities addressed by this patch
                 (including issues addressed in previously released patches):
                             Internet Servers  Intranet Servers Client Systems

                  Excel 2000 Low               Low              Moderate

                  Excel 2002 Low               Low              Moderate

                  Word 2002  Low               Low              Moderate
                 The above assessment is based on the types of systems affected by
                 the vulnerability, their typical deployment patterns, and the
                 effect that exploiting the vulnerability would have on them. Word
                 and Excel are primarily intended for use on client systems. All
                 vulnerabilities require some degree of user interaction for a
                 successful attack. The Hyperlinked Excel Workbook Macro Bypass
                 requires that an attacker make a malicious workbook available
                 either locally or on the network, in addition to enticing the user
                 to accept a different workbook and click on a hyperlinked shape
                 within it.

                 Vulnerability identifiers:
                    + Excel Inline Macros Vulnerability:CAN-2002-0616
                    + Hyperlinked Excel Workbook Macro Bypass: CAN-2002-0617
                    + Excel XSL Stylesheet Script Execution: : CAN-2002-0618
                    + Variant of MS00-071, Word Mail Merge Vulnerability:
                      CAN-2002-0619

                      Tested Versions:
                      Microsoft tested Excel 2000, Excel 2002, Word 2000, and Word
                      2002 to assess whether they are affected by these
                      vulnerabilities. Previous versions are no longer supported,
                      and may or may not be affected by these vulnerabilities.

                 Frequently asked questions

                      What vulnerabilities are eliminated by this patch?

                      This is a cumulative patch that, when applied, address all
                      previously addressed vulnerabilities. In addition, it
                      eliminates four new vulnerabilities:
                         + A macro execution vulnerability in Excel that results
                           from a flaw in how Excel handles inline Macros.
                         + A macro execution vulnerability in Excel that results
                           from a flaw in how macros in external workbooks are
                           handled when opened by a hyperlink on a drawing shape
                           within a workbook.
                         + A script execution vulnerability related to how Excel
                           processes workbooks that contain XSL style
                         + A variant of the "Word Mail Merge" vulnerability first
                           addressed in MS00-071.

                      Excel Inline Macros Vulnerability: (CAN-2002-0616):

                      What’s the scope of the first vulnerability?

                      This vulnerability could enable an attacker to cause macros
                      contained within an Excel workbook to execute outside of the
                      constraints of the macro security settings. Because macros by
                      design can take any action that a user can take, this
                      vulnerability has the net effect of enabling an attacker to
                      take the same actions on the system that the user is capable
                      of including adding, changing or deleting data, communicating
                      with web sites, or changing security settings, including the
                      macro security settings.

                      An attacker could not automate an attack using this
                      vulnerability: the user would have to be enticed into taking
                      an action after opening the attacker's workbook. In addition,
                      any constraints that limit the user's actions would also
                      inhibit the attacker's macros.

                      What causes the vulnerability?

                      The vulnerability results because of a flaw in how Excel
                      handles specially formatted inline macros that are attached to
                      objects within a workbook. It's possible to assign a macro to
                      an object in such a way that the Macro Security Model fails to
                      correctly recognize it as a macro. As a consequence, when the
                      object is activated and the macro is called, the Macro
                      Security Model is bypassed, and the macro runs with no
                      security restrictions.

                      In addition to the cells that are usually associated with a
                      spreadsheet, Excel provides support for objects within
                      workbooks. There are many objects that Excel makes available,
                      but some commonly known objects include drawing objects, such
                      as charts and graphs, command buttons, and menu buttons, among
                      others.

                      These objects make available a variety of functions and
                      capabilities, based on their type, but in general they help
                      expand the capabilities of Excel from being a simple
                      spreadsheet program to a full fledged application development
                      environment.

                      What are inline macros?

                      To support the expanded functionality that objects provide,
                      one of the capabilities that all objects in Excel support is
                      the ability to assign a macro to an object. This macro can
                      then provide any code-based functionality to the object that
                      the user or developer wants to add.

                      For example, suppose that a user has developed a spreadsheet
                      for calculating mortgage rates and the user wants to be able
                      to recalculate rates. The user can add a command button to the
                      spreadsheet and then assign a macro that performs the desired
                      calculations to that object. The user can then click on the
                      command button to run the macro assigned to it and thus
                      recalculate the mortgage rates.

                      By design, macros that are assigned to an object can be stored
                      in a macro code module. However, in the case of this
                      vulnerability it can be entered directly into the object's
                      properties. In this case the macro is referred to as an
                      "inline macro" because the macro code is actually stored
                      inline with the object's properties.

                      What is the Office Macro Security Model?

                      Macros are, in essence, small programs. As with programs, it
                      is possible for malicious users to create hostile macros that
                      seek to cause harm or disruption to the system by taking
                      actions such as deleting files, changing security settings, or
                      altering data in files. To help protect against hostile
                      macros, members of the Office family support a Macro Security
                      Model that helps users ensure that only safe, authorized
                      macros are run while unsafe, untrusted macros are disabled.

                      What's wrong with how Excel handles inline macros attached to
                      objects?

                      There is a flaw in how the Macro Security Model detects the
                      presences of inline macros within Excel objects. Specifically,
                      the Macro Security Model fails to correctly detect the macro.

                      What could this vulnerability enable an attacker to do?

                      Because the flaw causes the Macro Security Model to fail to
                      detect the presence of a macro, this flaw can provide a means
                      by which an attacker could bypass the Macro Security Model
                      entirely. As a result, the attacker could make macro code run
                      that would otherwise be disabled.

                      How could an attacker exploit this vulnerability?

                      An attacker could seek to exploit this vulnerability by
                      crafting an Excel workbook and inserting an object into the
                      workbook. The attacker would then assign an inline macro to
                      the object. The attacker would have to entice the user to open
                      the malicious workbook and then activate the object by
                      clicking on it. However, the attacker could take steps to
                      obscure the object in such a way that the user may not
                      recognize the presence of an object and inadvertently activate
                      the object simply by clicking on the spreadsheet itself.

                      What does the patch do?

                      The patch eliminates the vulnerability by disabling all inline
                      macros in the Medium and High security settings.

                      Does this mean that inline macros are still enabled in the Low
                      Security Setting?

                      Yes. However, the Low security setting provides no protections
                      against hostile macros. As a result, in this security setting,
                      there is no vulnerability, since no protections are bypassed.

                      Hyperlinked Excel Workbook Macro Bypass (CAN-2002-0617):

                      What’s the scope of the second vulnerability?

                      This is an Excel macro execution vulnerability. An attacker
                      who was able to successfully exploit this vulnerability could
                      cause macros contained within an Excel workbook to execute
                      outside of the constraints of the macro security settings.

                      An attacker could not automate an attack using this
                      vulnerability: the user would have to be enticed into taking
                      an action after opening the attacker's workbook. In addition,
                      any constraints that limit the user's actions would also
                      inhibit the attacker's macros.

                      What causes the vulnerability?

                      The vulnerability results because of a flaw in how Excel
                      macros in a workbook are handled when that workbook is opened
                      through a hyperlink that is associated with a drawing shape in
                      another workbook.

                      When the destination workbook is opened, the Macro Security
                      Model does not detect the presence of macros in the target
                      workbook. As a result, any autoexecute macros in the
                      destination workbook would run as soon as that workbook was
                      opened, without any security constraints.

                      What are drawing shapes?

                      As noted above, Excel provides a number of different objects
                      that can be inserted into workbooks. One particular type of
                      object that Excel supports are drawing shapes. Drawing shapes
                      are graphical objects such as circles, squares, rectangles, or
                      freeform shapes that can be inserted into a workbook.

                      How do drawing shapes support hyperlinks?

                      In the same way that objects support macros as an assigned
                      property, they also support hyperlinks. This means that a
                      drawing shape can be made into a hyperlink that will take
                      action when the shape is activated.

                      For example, suppose a user has created a circle on a page in
                      a workbook and they want users to be able to bring up a web
                      site's home page by clicking on that shape. The user can set
                      the hyperlink property of the shape to the web page in
                      question. When user then clicks on the shape, the hyperlink is
                      invoked and the web page opened.

                      Because hyperlinks can point to any file type, hyperlinks can
                      also be used to point to Excel workbooks. Using the example
                      above, it's also possible to have a circle point to an Excel
                      workbook. When the user would click on the shape with the
                      hyperlink, the destination workbook would be opened.

                      What's wrong with how Excel handles workbooks that are opened
                      through a hyperlink associated with a drawing shape?

                      In this particular sequence of events, Excel fails to properly
                      invoke the Macro Security Model when the destination workbook
                      is opened. As a result, the Macro Security Model is bypassed
                      entirely allowing any autoexecute macros to run automatically,
                      with no warning.

                      It's important to note that this flaw occurs only in
                      conjunction with this sequence of events.

                      What could this vulnerability enable an attacker to do?

                      This vulnerability could enable an attacker to run macro code
                      when the user thought that code would be blocked by the Macro
                      Security Model.

                      How could an attacker exploit this vulnerability?

                      An attacker could seek to exploit this vulnerability by
                      creating two workbooks, a source workbook and a destination
                      workbook. The attacker would create a hyperlink on a shape in
                      the source workbook that points to the destination workbook.
                      In the destination workbook, the attacker could create an
                      autoexecute macro. The attacker would then have to ensure that
                      the destination workbook was accessible to the user in some
                      way, by giving it to the user or posting on a network share or
                      a web site.

                      The attacker would then have to send the source workbook to
                      the intended victim and entice the victim to open the
                      workbook, and click on the hyperlinked shape. As long as the
                      destination workbook was accessible, the destination workbook
                      would be opened, and the macro code would execute.

                      What does the patch do? The patch eliminates the vulnerability
                      by ensuring that the Macro Security Model is invoked when a
                      workbook is opened through a hyperlink associated with a
                      drawing shape.

                      Excel XSL Stylesheet Script Execution: (CAN-2002-0618):

                      What’s the scope of the third vulnerability?

                      This vulnerability could enable an attacker to cause HTML
                      scripts to execute as if they were run locally on the user's
                      system. The scripts could take any action that the user was
                      capable of, including adding, changing or deleting files or
                      changing security settings.

                      An attacker seeking to exploit this vulnerability would have
                      to convince the intended target to open a file. There is no
                      way to mount an automated attack against this vulnerability;
                      in all cases there is user interaction required to mount a
                      successful attack.

                      Any limitations on a user's ability to make changes to the
                      system would also limit the attacker's script. For example, if
                      a user were prohibited from deleting information on the local
                      system, the attacker's script would be similarly restricted.

                      What causes the vulnerability?

                      The vulnerability results because of a flaw in how XSL
                      Stylesheets within Excel workbooks are handled under the
                      Macros Security Model. The Macro Security Model fails to
                      correctly detect the presence of HTML scripting when contained
                      within an Excel workbook that contains an XSL stylesheet.

                      What is XSL?

                      XSL (eXtensible Stylesheet Language) is a language that
                      provides a means to sort and manipulate XML data. It can be
                      thought of as a query language for XML data. For example,
                      suppose you have customer data in XML format that is ordered
                      by last name and you want to sort it by customer ID. You would
                      use XSL to define the sorting rule for this data.

                      What is an XSL stylesheet?

                      Where XSL is the language that is used for manipulating XML
                      data, an XSL stylesheet is what actually contains the XSL. An
                      XSL stylesheet therefore is a document that contains
                      instructions in XSL. This file then can be "applied" by any
                      application that supports XSL.

                      What is XML?

                      XML (Extensible Markup Language) is an industry-standard
                      format for storing data that facilitates data transfer across
                      the Internet. XML provides a common means for structuring data
                      so that multiple applications can recognize it. Using the
                      example above, XML can be used to structure customer data and
                      meta-data so that any application that supports XML could
                      correctly identify the structure of the data, such as the
                      customer ID and last name, and the data itself.

                      What's wrong with how XSL stylesheets are handled within
                      Excel? There is a flaw in how the Macro Security Model handles
                      script within XSL Stylesheets that are contained in an Excel
                      workbook. Specifically, it fails to correctly detect the
                      presence of script and block its execution.

                      What could this vulnerability enable an attacker to do?

                      This vulnerability could allow an attacker to run HTML scripts
                      on the local system as if the user had elected to run them.
                      This means that the script would run in the Local Computer
                      zone. Since the Local Computer zone is intended for scripts
                      run directly by the user, scripts run in this zone can take
                      actions similar to those that a user can take directly. For
                      example, a script in the local computer zone could add,
                      change, or delete the same files that a user could.

                      Conversely, any restrictions on the user's ability to make
                      changes to the local system would also limit that attacker's
                      script. This means that if a user were prevented from changing
                      a file due to permissions on the local file system, the
                      attacker's script would be similarly prevented from making
                      changes.

                      How could an attacker exploit this vulnerability?

                      An attacker would most likely seek to exploit this
                      vulnerability by creating an Excel workbook that has an XSL
                      stylesheet that contains HTML script within it. The attacker
                      would have to entice the user to accept the file by either
                      offering it for download or sending it as an attachment in
                      email. When the user opened the file, a prompt would be raised
                      asking if he wanted to apply the XSL stylesheet. The user
                      would have to agree to apply the stylesheet by clicking "yes",
                      which is not the default. At that point, the stylesheet would
                      be applied and the attacker's script would run. Alternately,
                      if the file were set to autorefresh its query, the XSL could
                      be updated and the script run after the refresh.

                      Is there any way for an attacker to mount an automated attack
                      using this vulnerability?

                      No. In all cases, attempts to exploit this vulnerability would
                      require user interaction. There is no way for an attacker to
                      automate an attack against this vulnerability.

                      What does the patch do?

                      The patch eliminates the vulnerability by ensuring that the
                      Macros Security Model is applied when Excel opens workbooks
                      that contains XSL stylesheets. The specific result of applying
                      the patch will depend on the security setting of the Macro
                      Security Model.

                      Variant of MS00-071, Word Mail Merge Vulnerability:
                      (CAN-2002-0619)

                      What’s the scope of the fourth vulnerability?

                      This vulnerability is a new variant of the "Word Mail Merge"
                      vulnerability first discussed in Microsoft Security Bulletin
                      MS00-071 This vulnerability could allow an attacker to run
                      code on a user's system.

                      What is the "Word Mail Merge" Vulnerability?

                      In a nutshell, this is a vulnerability that could enable an
                      attacker to run VBA Code in Access unexpectedly when the user
                      opens a Mail Merge document in Word. In the case of this
                      particular variant, however, the Mail Merge document needs to
                      be saved in HTML format.

                      Where can I get more information on the "Word Mail Merge"
                      vulnerability?

                      Microsoft Security Bulletin MS00-071 discusses this
                      vulnerability in detail.

                      Are there any differences between this variant and the
                      original issue?

                      Unlike the original issue, this variant requires that the Word
                      document in question be saved in HTML format and that the
                      document then be opened in Word.

                      In addition, the mitigating factors for this variant are
                      different from the original issue. If the HTML document were
                      opened in anything other than Word, the attempt to exploit the
                      vulnerability would fail. In addition, a successful attack
                      requires that Access be installed on the user's system. If
                      Access is not installed, the attack would fail.

                      What causes the vulnerability?

                      The vulnerability results because the original fix for this
                      issue fails to correctly differentiate a remote Access data
                      source when the Word Mail Merge document is an HTML document.
                      As a result, remote data sources are treated in an identical
                      manner as local data sources.

                      If this variant requires that the Word document is in HTML
                      format, can an attacker mount an automated attack from a web
                      page or HTML email?

                      No. In all cases, the user must first choose to open the
                      document using Word, either by acknowledging a file download
                      dialogue box, or by choosing to open Word manually. There is
                      no way for an attacker to levy an automated attack against
                      this vulnerability.

                      How does the patch eliminate this vulnerability?

                      The patch eliminates the vulnerability by ensuring that Word
                      correctly differentiates between remote and local data sources
                      and handles them in a manner commensurate with their location.

                      Does this patch eliminate the original issue as well as the
                      new one?

                      Yes. It eliminates all known variants.

                 Patch availability

                      Download locations for this patch
                         + Office Product Updates site:
                           http://office.microsoft.com/productupdates/default.aspx
                         + Microsoft Excel 2000 for Windows:
                              + Client Installation:
                                http://office.microsoft.com/downloads/2000/exc0901.aspx
                              + Administrative Installation:
                                http://www.microsoft.com/office/ork/xp/journ/exc0901a.htm
                         + Microsoft Excel 2002 for Windows:
                              + Client Installation:
                                http://office.microsoft.com/downloads/2002/exc1002.aspx
                              + Administrative Installation:
                                http://www.microsoft.com/office/ork/xp/journ/exc1002a.htm
                         + Microsoft Word 2002:
                              + Client Installation:
                                http://office.microsoft.com/downloads/2002/wrd1004.aspx
                              + Administrative Installation:
                                http://www.microsoft.com/office/ork/xp/journ/wrd1004a.htm

                 Additional information about this patch
                      Installation platforms:
                      This patch can be installed on systems running:
                         + Microsoft Office 2000 SR-1a or Service Pack 2
                         + Microsoft Office XP Service Pack 1

                      Inclusion in future service packs:
                      The fix for these issues will be included in any future
                      service packs released for Office 2000 and Office XP.

                      Reboot needed: No

                      Superseded patches:
                         + The Excel patch supercedes MS01-050.
                         + The Word patch supercedes MS02-021.

                      Verifying patch installation:
                         + Excel 2000 for Windows:
                           Verify that the version number of excel.exe is 9.0.6508.
                         + Excel 2002 for Windows:
                           Verify that the version number of excel.exe is
                           10.0.4109.0.
                         + Word 2002 for Windows:
                           Verify that the version number of winword.exe is
                           10.0.4109.

                      Caveats:
                      None

                      Localization:
                      The patches provided above are appropriate for use on any
                      language version.

                      Obtaining other security patches:
                      Patches for other security issues are available from the
                      following locations:
                         + Security patches are available from the Microsoft
                           Download Center, and can be most easily found by doing a
                           keyword search for "security_patch".
                         + Patches for consumer platforms are available from the
                           WindowsUpdate web site
                         + All patches available via WindowsUpdate also are
                           available in a redistributable form from the
                           WindowsUpdate Corporate site.

                 Other information:

                      Acknowledgments

                      Microsoft thanks  the following people for working with us to
                      protect customers:
                         + Darryl Higa for reporting the Excel Inline Macros and
                           Hyperlinked Excel Workbook Macro Bypass vulnerabilities.
                         + The dH team and SECURITY.NNOV team for reporting the
                           variant of MS00-071.

                      Support:
                         + Microsoft Knowledge Base article Q324458 discusses this
                           issue and will be available approximately 24 hours after
                           the release of this bulletin. Knowledge Base articles can
                           be found on the Microsoft Online Support web site.
                         + Technical support is available from Microsoft Product
                           Support Services. There is no charge for support calls
                           associated with security patches.

                      Security Resources: The Microsoft TechNet Security Web Site
                      provides additional information about security in Microsoft
                      products.

                      Disclaimer:
                      The information provided in the Microsoft Knowledge Base is
                      provided "as is" without warranty of any kind. Microsoft
                      disclaims all warranties, either express or implied, including
                      the warranties of merchantability and fitness for a particular
                      purpose. In no event shall Microsoft Corporation or its
                      suppliers be liable for any damages whatsoever including
                      direct, indirect, incidental, consequential, loss of business
                      profits or special damages, even if Microsoft Corporation or
                      its suppliers have been advised of the possibility of such
                      damages. Some states do not allow the exclusion or limitation
                      of liability for consequential or incidental damages so the
                      foregoing limitation may not apply.

                      Revisions:
                         + V1.0 (June 19, 2002): Bulletin Created.
                         + V1.1 (June 25, 2002): Bulletin corrected to reflect that
                           Office 2000 patches can install on SR-1a.

  Contact Us   |   E-mail this Page   |   TechNet Newsletter

  © 2002 Microsoft Corporation. All rights reserved.     Terms of Use    Privacy Statement    Accessibility