SecurityvulnsSECURITYVULNS:DOC:1755Fwd: Microsoft Word macro vulnerability advisory MS01-034
Hi,
Within minutes of Microsoft posting the bulletin on their site, my mailbox
was swamped with emails from people asking the same two questions. I am
therefore forwarding the below email (minus the sample document!) to the
BugTraq mailing list to reach a wide audience and answer the two questions I
keep getting asked:
1) Reporters asking when I notified Microsoft of the issue. As you can see
below, it was the 23rd of April. Yes, I know, it was before Office XP/2002
even went on sale.
2) People asking for a sample document which defeats the macro checking. I
think the most responsible course of action is to give users a chance to
download the patch and/or antivirus updates before making an example
available. SecurityFocus will no doubt make my sample document available at
the URL http://www.securityfocus.com/bid/2876 after users have had a chance
to protect themselves.
Regards,
Steven McLeod.
>From: "Steven McLeod" <[email protected]>
>To: [email protected]
>CC: [email protected], [email protected], [email protected],
>[email protected], [email protected], [email protected],
>[email protected], [email protected], [email protected]
>Subject: Microsoft Word macro vulnerability advisory MS01-034
>Date: Fri, 22 Jun 2001 14:28:52 -0000
>MIME-Version: 1.0
>X-Originating-IP: [210.84.112.186]
>Received: from 210.84.112.186 by lw11fd.law11.hotmail.msn.com with
>HTTP;Fri, 22 Jun 2001 14:28:52 GMT
>
>
>Hi,
>
>I am sending this email to complement Microsoft's Word macro vulnerability
>advisory just published at
>http://www.microsoft.com/technet/security/bulletin/MS01-034.asp
>
>Attached to this email is the sample I sent Microsoft when I alerted them
>to this issue.
>
>I am also forwarding this email with the sample included to the major
>antivirus vendors for them to examine.
>
>I will leave it up to SecurityFocus' good judgment as to when the sample
>file should be included in the "exploit" section of your vulnerability
>database so that system administrators can test their systems after
>applying Microsoft's patch. Looking at the structure of your site, I
>assume that this sample document will reside at
>http://www.securityfocus.com/bid/2876
>
>I would like to take this opportunity to thank (in no particular order)
>Alex Uy, Eric Schultze and Scott Culp (Microsoft Security Response Center),
>Elias Levy (Mr BugTraq), and Russ Cooper (Mr NTBugTraq) for their comments
>and assistance with this issue.
>
>Regards,
>Steven McLeod.
>
>>From: "Steven McLeod" <[email protected]>
>>To: [email protected]
>>Subject: Macro Viruses
>>Date: Mon, 23 Apr 2001 09:44:20 -0000
>>
>>Hi,
>>
>>When you open a Microsoft Word document which contains macros,
>>the default security level causes MS Word to pop up a message
>>box stating "This document contains macros, which could be a
>>virus" and allows the user to "Disable macros" or "Enable macros".
>>
>>Alternatively, if the user's macro security is set to the most
>>secure setting (requiring macros to be signed) all untrusted macros
>>will automatically be stripped out from the document.
>>
>>This macro security feature of MS Word (in Office 2000 and Office
>>97) can be trivially bypassed by a malicious document, allowing
>>macro code in the document to be run when the document is opened
>>without prompting the user or notifying them that the document
>>contains macros. Furthermore, the macro will be run without user
>>knowledge even if the user's security setting is at the highest
>>setting (automatically strip out untrusted macros).
>>
>>I have attached a sample document to this email.
>>
>>Is this a known issue?
>>
>>Regards,
>>Steven McLeod.
>
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.