Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2071
HistoryOct 05, 2001 - 12:00 a.m.

Security Bulletin MS01-050

2001-10-0500:00:00
vulners.com
12

Title: Malformed Excel or PowerPoint Document Can Bypass Macro
Security
Date: 04 October 2001
Software: Microsoft Excel or PowerPoint for Windows or Macintosh
Impact: Run Code Of Attacker's Choice
Bulletin: MS01-050

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-050.asp.


Issue:

Excel and PowerPoint have a macro security framework that controls
the execution of macros and prevents macros from running
automatically. Under this framework, any time a user opens a
document the document is scanned for the presence of macros.
If a document contains macros, the user is notified and asked
if he wants to run the macros or the macros are disabled entirely,
depending on the security setting. A flaw exists in the way macros
are detected that can allow a malicious user to bypass macro
checking.

A malicious attacker could attempt to exploit this vulnerability
by crafting a specially formed Excel or PowerPoint document with
macro code that would run automatically when the user opened it.
The attacker could carry out this attack by hosting the malicious
file on a web site, a file share, or by sending it through email.

Mitigating Factors:

  • The macro code could not execute without the user's
    first opening the document.

Patch Availability:

Acknowledgment:


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.