Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft Office Web Components unauthorized access

  ISS Security Brief: Multiple Vulnerabilities in Microsoft Office Web Components

From:MICROSOFT <secure_(at)_microsoft.com>
Date:23.08.2002
Subject:Security Bulletin MS02-044 : Unsafe Functions in Office Web Components (Q328130)

- ----------------------------------------------------------------------
Title:      Unsafe Functions in Office Web Components (Q328130)
Date:       21 August 2002
Software:   Office Web Components, Office, BackOffice Server,
           BizTalk Server, Commerce Server, ISA Server, Money,
           Microsoft Project, Microsoft Project Server
           Small Business Server
Impact:     Three vulnerabilities, the most serious of which could
           allow an attacker to run commands on the user's system.
Max Risk:   Critical
Bulletin:   MS02-044

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-044.asp.
- ----------------------------------------------------------------------

Issue:
======
The Office Web Components (OWC) contain several ActiveX controls
that give users limited functionality of Microsoft Office in a web
browser without requiring that the user install the full
Microsoft Office application. This allows users to utilize
Microsoft Office applications in situations where installation
of the full application is infeasible or undesirable.

The control contains three security vulnerabilities, each of
which could be exploited either via a web site or an HTML mail.
The vulnerabilities result because of implementation errors
in the following methods and functions the controls expose:

- Host(). This function, by design, provides the caller with
  access to applications' object models on the user's system.
  By using the Host() function, an attacker could, for instance,
  open an Office application on the user's system and invoke
  commands there that would execute operating system commands
  as the user.

- LoadText(). This method allows a web page to load text into a
  browser window. The method does check that the source of the
  text is in the same domain as the window, and in theory should
  restrict the page to only loading text that it hosts itself.
  However, it is possible to circumvent this restriction by
  specifying a text source located within the web page's domain,
  and then setting up a server-side redirect of that text to a
  file on the user's system. This would provide an attacker with
  a way to read any desired file on the user's system.

- Copy()/Paste(). These methods allow text to be copied and pasted.
  A security vulnerability results because the method does not
  respect the "disallow paste via script" security setting in IE.
  Thus, even if this setting had been selected, a web page could
  continue to access the copy buffer, and read any text that the
  user had copied or cut from within other applications.

The patch does not set "kill bit" on the control, for reasons
discussed in the FAQ.

Mitigating Factors:
====================
Overall:

- In the case of the web-based attack, an attacker would need
  to force a user to visit the attacker's Web site. Users who
  exercise caution in visiting web sites could minimize their
  risk.

- In the web based attack, If ActiveX controls have been
  disabled in the zone in which the page were viewed, the
  vulnerability could not be exploited. Users who place
  untrusted sites in the Restricted Sites zone, which disables
  ActiveX by default, or have disabled ActiveX controls in the
  Internet zone could minimize their risk.

- In the case of HTML email based attacks, customers who read
  email in the Restricted Sites zone would be protected against
  attempts to exploit this vulnerability. Customers using
  Outlook 2002 and Outlook Express 6.0, as well as
  Outlook 2000 and Outlook 98 customers who have applied the
  Outlook Email Security Update would thus be protected by
  default. Also, Outlook Express 5.0 customers who have chosen
  to read mail in the Restricted Sites zone would be protected
  by default.

- In the HTML email based attack, Outlook 2002 customers who
  have enabled the "Read as Plain Text" option available in
  SP1 or later would also be protected.

Host() Vulnerability:

- The attacker's code would be limited by restrictions on the
  user's account. Users of non-privileged accounts would limit
  the potential damage from a successful attack.

LoadText():

- The attacker would need to know the full path and name of the
  file. In addition the file would have to be viewable in a
  web browser.

Copy()/Paste():

- The vulnerability could enable an attacker to access only to
  information in the Windows clipboard. The information in the
  clipboard is unpredictable and this vulnerability gives no
  means for an attacker to target and retrieve specific
  information. Further, it is possible for the clipboard to
  be empty, which would yield an attacker nothing.

- The security setting in question is not enabled by default.
  Thus, the vulnerability does not present a threat to the
  default installation.

Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletin at
  http://www.microsoft.com/technet/security/bulletin/ms02-044.asp
  for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod