Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2072
HistoryOct 06, 2001 - 12:00 a.m.

Symantec Security Response SecBul-10042001, Revision1, Malformed Microsoft Excel or PowerPoint documents bypass Microsoft macro security features

2001-10-0600:00:00
vulners.com
28
JSON

Symantec Security Bulletin
Symantec Security Response SecBul-10042001

Date Issued:
04 October 2001
Revision 1: 05 October,2001

HEADLINE:
Malformed Microsoft Excel or PowerPoint documents bypass Microsoft macro
security features.

SOURCE:
Symantec Corporation.

RISK Impact:
High
Unauthorized macro files, potentially containing malicious code, can run
without warning, successfully bypassing Microsoft's security features.
Attacker could run arbitrary code with user privileges.

Affected Components:
Microsoft Excel 97 for Windows
Microsoft Excel 98 for Windows
Microsoft Excel 2000 for Windows
Microsoft Excel 2001 for Macintosh
Microsoft Excel 2002 for Windows
Microsoft PowerPoint 97 for Windows
Microsoft PowerPoint 98 for Windows
Microsoft PowerPoint 2000 for Windows
Microsoft PowerPoint 2001 for Macintosh
Microsoft PowerPoint 2002 for Windows
All versions of these individual products bundled in Microsoft Office
Suites
Microsoft Excel 98 and PowerPoint 98 for Macintosh, although not tested by
Symantec, should be considered vulnerable to this issue as well.

Overview:
Microsoft Office applications, 2000 versions and later, have three security
settings for macros. The "Low" setting allows all macros to run. Setting
the security to "Medium" displays a warning window stating the dangers of
opening documents containing Macros. This pop-up allows the user to make
the decision whether to enable or disable the macro. Under the "High"
setting, unsigned macros are disabled automatically. Microsoft Office
applications prior to the 2000 version had much simpler macro security
models.
Symantec engineers have discovered that by specifically modifying the data
stream in a document file containing a macro, the Microsoft Office security
settings for macros are completely bypassed in all versions of Microsoft
PowerPoint and Excel products.

This issue was initially reported to Microsoft Security on 26 June 2001.

Details:

Symantec engineers discovered a bug in the way macros are loaded in all
versions of Microsoft PowerPoint and Excel. Under normal circumstances,
with high or medium security setting enabled, whenever a Microsoft
PowerPoint or Excel document is received it is scanned for macros. If the
document contains a macro a security warning prompt is displayed under
medium security. Or, if the macro is recognized as un-trusted, it is
disabled under the high security setting. Microsoft Office versions prior
to 2000 provided a much simpler security model. By specifically modifying
the data stream in the document file, the Microsoft security scanner is
prevented from recognizing an embedded macro, resulting in its execution
when the document is opened. Exploiting this vulnerability in susceptible
Microsoft products enables an attacker to craft potentially malicious macro
code to automatically run when such a modified document is opened on a
target machine. The malicious macro is able to take any action with
privileges of the user on the targeted system.

This has been successfully tested in PowerPoint and Excel 97 SR-2,
PowerPoint and Excel 98, PowerPoint and Excel 2000, and PowerPoint and
Excel 2002 as well as PowerPoint and Excel 2001 for Macintosh. Under
PowerPoint 2002, the version included in Microsoft Office XP, even unsigned
macros can be executed at the highest security settings (the Run option is
not disabled).

NOTE: A similar exploit exists for Microsoft Word, however the Microsoft
Security patch available in Microsoft Security Bulletin MS01-034 for Steven
McLeod's Microsoft Word macro exploit also protects against this exploit.
Symantec urges all Microsoft Word users, who have not applied the patch in
MS01-34, immediately download and apply that patch as well for maximum
protection.

Security Response:
Symantec highly recommends all users ensure they are running a current AV
product with the latest updates and script blocking to protect against
unauthorized executables and other hostile code running on the user's
system. Microsoft application users should ensure that all security
patches are up-to-date.

Additionally, Microsoft has released a security bulletin, MS01-050, for
this issue with links to product security patches. Users of individual
Microsoft Office products as well as bundled Microsoft Office suites should
download and install the appropriate security patches to secure their
applications:

NOTE: Microsoft no longer supports Microsoft Excel or PowerPoint 97/98
versions. Symantec strongly suggests that all users of these vulnerable
versions upgrade as soon as possible to a supported version and apply all
appropriate security patches.

CVE:
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the
name CAN-2001-0718 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.

Credit: Peter Ferrie, Symantec Security Response Australia, discovered and
researched these vulnerabilities. Symantec would like to also thank
Microsoft Security Response for their cooperation and coordination in
addressing this issue.

Copyright (c) 2001 by Symantec Corp.

Permission to redistribute this Bulletin electronically is granted as long
as it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this Bulletin in medium other
than electronically requires permission from [email protected].

Disclaimer:
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.

Symantec and Symantec Security Response are Registered Trademarks of
Symantec Corp. and/or affiliated companies in the United States and other
countries. All other registered and unregistered trademarks represented in
this document are the sole property of their respective companies/owners.

Related

cve 1
cert 1
cve
cve
CVE-2001-0718
2001-10-30 05:00:00
cert
cert
Microsoft PowerPoint and Excel fail to properly detect macros thereby automatically executing malicious code via crafted document (MS01-050)
2001-10-08 00:00:00
JSON
Related for SECURITYVULNS:DOC:2072
cve1cert1