Microsoft Security Bulletin MS02-044: Office Web Components


Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Unsafe Functions in Office Web Components (Q328130)

Date: 21 August 2002

Software: Office Web Components, Office, BackOffice Server,

BizTalk Server, Commerce Server, ISA Server, Money,

Microsoft Project, Microsoft Project Server

Small Business Server

Impact: Three vulnerabilities, the most serious of which could

allow an attacker to run commands on the user's system.

Max Risk: Critical

Bulletin: MS02-044

Microsoft encourages customers to review the Security Bulletin at:

http://www.microsoft.com/technet/security/...in/MS02-044.asp.

- ----------------------------------------------------------------------

Issue:

======

The Office Web Components (OWC) contain several ActiveX controls

that give users limited functionality of Microsoft Office in a web

browser without requiring that the user install the full

Microsoft Office application. This allows users to utilize

Microsoft Office applications in situations where installation

of the full application is infeasible or undesirable.

The control contains three security vulnerabilities, each of

which could be exploited either via a web site or an HTML mail.

The vulnerabilities result because of implementation errors

in the following methods and functions the controls expose:

- Host(). This function, by design, provides the caller with

access to applications' object models on the user's system.

By using the Host() function, an attacker could, for instance,

open an Office application on the user's system and invoke

commands there that would execute operating system commands

as the user.

- LoadText(). This method allows a web page to load text into a

browser window. The method does check that the source of the

text is in the same domain as the window, and in theory should

restrict the page to only loading text that it hosts itself.

However, it is possible to circumvent this restriction by

specifying a text source located within the web page's domain,

and then setting up a server-side redirect of that text to a

file on the user's system. This would provide an attacker with

a way to read any desired file on the user's system.

- Copy()/Paste(). These methods allow text to be copied and pasted.

A security vulnerability results because the method does not

respect the "disallow paste via script" security setting in IE.

Thus, even if this setting had been selected, a web page could

continue to access the copy buffer, and read any text that the

user had copied or cut from within other applications.

The patch does not set "kill bit" on the control, for reasons

discussed in the FAQ.

Mitigating Factors:

====================

Overall:

- In the case of the web-based attack, an attacker would need

to force a user to visit the attacker's Web site. Users who

exercise caution in visiting web sites could minimize their

risk.

- In the web based attack, If ActiveX controls have been

disabled in the zone in which the page were viewed, the

vulnerability could not be exploited. Users who place

untrusted sites in the Restricted Sites zone, which disables

ActiveX by default, or have disabled ActiveX controls in the

Internet zone could minimize their risk.

- In the case of HTML email based attacks, customers who read

email in the Restricted Sites zone would be protected against

attempts to exploit this vulnerability. Customers using

Outlook 2002 and Outlook Express 6.0, as well as

Outlook 2000 and Outlook 98 customers who have applied the

Outlook Email Security Update would thus be protected by

default. Also, Outlook Express 5.0 customers who have chosen

to read mail in the Restricted Sites zone would be protected

by default.

- In the HTML email based attack, Outlook 2002 customers who

have enabled the "Read as Plain Text" option available in

SP1 or later would also be protected.

Host() Vulnerability:

- The attacker's code would be limited by restrictions on the

user's account. Users of non-privileged accounts would limit

the potential damage from a successful attack.

LoadText():

- The attacker would need to know the full path and name of the

file. In addition the file would have to be viewable in a

web browser.

Copy()/Paste():

- The vulnerability could enable an attacker to access only to

information in the Windows clipboard. The information in the

clipboard is unpredictable and this vulnerability gives no

means for an attacker to target and retrieve specific

information. Further, it is possible for the clipboard to

be empty, which would yield an attacker nothing.

- The security setting in question is not enabled by default.

Thus, the vulnerability does not present a threat to the

default installation.

Risk Rating:

============

- Internet systems: Moderate

- Intranet systems: Moderate

- Client systems: Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-044.asp

for information on obtaining this patch.

- ---------------------------------------------------------------------

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.