Word Mail Merge vulnerability (Patch available)
------------------------------------------------------------------------
SUMMARY
Microsoft has released a patch that eliminates a security vulnerability
in
Microsoft Word 2000 and 97. The vulnerability allows a malicious user to
run arbitrary code on a victim's computer without their approval by
sending them a malicious Word document.
DETAILS
Affected Software Versions:
- Microsoft Word 2000
- Microsoft Word 97
If an Access database is specified as a data source via DDE in a Word
mail
merge document, macro code can run without the user's approval when the
document is opened.
If a user could be enticed into opening a specially constructed mail
merge
Word document, which was provided either as an e-mail attachment or as a
link hosted on a hostile web site, it would be possible to cause
arbitrary
code to run on the user's machine. For such an attack to succeed, the
victim would also need the ability to reach the Access database via a
UNC
share or file:// protocol. If the user were behind a firewall and
security
best practices have been followed, the ports required to access the
database would be blocked.
Patch Availability:
- Microsoft Word 2000:
<http://officeupdate.microsoft.com/2000/downloadDetails/wrdacc.htm>
http://officeupdate.microsoft.com/2000/downloadDetails/wrdacc.htm
- Microsoft Word 97: Patch will be available shortly.
What's the scope of the vulnerability?
The vulnerability could allow a malicious user to execute code on a
user's
machine without the user's authorization. In order to exploit this
vulnerability, the malicious user would need to entice the user to
either
open a Word file attachment in a malicious e-mail message or to visit a
malicious web site that referenced a malicious Word file through html.
The
Word document would refer in turn to an Access database used as a mail
merge data source, and the code would be executed when the Access
database
was opened.
A user could only be attacked if they had the ability to open the Access
data source specified by the malicious user. In other words, if the
malicious Access file were referenced as a UNC path, the user would need
to have the ability to reach that file. If a customer's computer were
behind a firewall and security best practices had been followed, access
to
UNC paths hosted on the Internet would normally be blocked.
What causes the vulnerability?
By design, there is no macro protection mechanism when opening an Access
database. If Access is specified as a data source for a Word mail merge
document, then VBA code contained within the Access database will be
launched when the Word document is opened.
What is VBA?
Microsoft Visual Basic for Applications (VBA) is the development
environment and macro language that is included as part of Microsoft
Office. It lets customers automate a wide variety of tasks within any
Office application. The vulnerability at issue here could allow VBA code
contained in an Access database to be executed without the user's
knowledge when the user opened a Word mail merge document.
What's the mail merge function in Word?
Mail merge is a feature that provides the ability to easily construct
form
letters, mailing lists, and catalogs within Microsoft Word. Normally it
is
used in conjunction with a database application or other external data
management tool that allows the user to "merge" a document containing
addresses or other personalized information into a Word mail merge
document.
What's wrong with the mail merge functionality in Word?
The vulnerability does not result from the mail merge function as such,
but from the interaction of the Word mail merge function and the Access
database that can be used as a data source, via DDE. While Word will
warn
a user before executing VBA code contained in a Word document, a
malicious
user could avoid the warning by creating a Word mail merge document that
used an Access database as a data source, and then inserting VBA code in
the Access database.
In the case of a Word file being opened from Internet Explorer, the
Office
Document Open Confirmation Tool will prompt the user before opening the
Word file from within IE.
What would this vulnerability let a malicious user do?
The vulnerability could allow a malicious user to execute code on a
user's
machine without the user's approval. In order to exploit this
vulnerability, the malicious user would need to entice the user to
either
open a Word file attachment in a malicious e-mail message or to visit a
malicious web site that referenced the malicious Word file.
If the VBA code contained within the Access database attempted to
function
as a virus such as the ILOVEYOU virus, the Outlook E-mail Security
Update
could prevent virus from propagating via E-mail.
Would the malicious Word or Access file need to be located on my local
machine?
No. The malicious user could either send an e-mail attachment with the
offending Word file or create a link to a malicious web site that
included
an html reference to the Word file. The Word file could be located on
the
malicious user's web site.
How would a malicious user exploit this vulnerability?
The most likely scenario (if it were to take place) would involve a
malicious user sending a Word document as an attachment in e-mail or
sending an html link through mail, referencing the Word file on their
malicious web site. The Word file would in turn reference the Access
database as a mail merge data source.
In the both scenarios above, the user would be taking action on an
un-trusted file or link from an un-trusted source. Users should be
careful
in opening attachments or referencing links from unknown sources.
If I'm behind a firewall, would that prevent an attack from succeeding?
If a user is protected by a firewall, where best security practices have
been followed and inbound and outbound traffic has been blocked on ports
135-139 and 445, a malicious Access database hosted on the Internet can
not exploit this vulnerability. The Access database will not be
retrieved
when it is specified as a mail merge data source through the file:\\ or
UNC naming conventions.
Where can I get information on Ports 135-139, and 445 referenced above?
<http://www.isi.edu/in-notes/iana/assignments/port-numbers>
http://www.isi.edu/in-notes/iana/assignments/port-numbers provides more
information on the use of the port numbers listed above. Briefly, Ports
135-139 and 445 are the NetBIOS ports used for accessing files on a
Windows network.
What machines are at greatest risk from this vulnerability?
Any computer that has Microsoft Word and Access installed and is
connected
to a network can be affected by this vulnerability. However, the risk
from
a malicious Word file is greater if users are directly connected to the
Internet. Macintosh Word users are not affected by this vulnerability
since Access is not an application that is supported on the Macintosh.
It seems that Access is the cause of the problem, why did Microsoft fix
Word?
The vulnerability results from the fact that an executable object (the
Access database with embedded VBA code) could be launched from a Word
document without warning to the user. The patch makes Word's handling of
Access as an executable document consistent with Word's handling of
other
executable types.
Who should use the patch?
Microsoft recommends that all users of the affected versions of
Microsoft
Word consider installing this patch.
What does the patch do?
The patch enforces zone checking of the Access mail merge data source
within the Word file. A dialog will appear notifying the user that the
mail merge data source is unavailable if the file is detected to be in
the
Internet or Restricted sites zone.
How do I use the patch?
Microsoft Knowledge Base articles
<http://www.microsoft.com/technet/support/kb.asp?ID=274226> Q274226
(Word
2000) and <http://www.microsoft.com/technet/support/kb.asp?ID=272749>
Q272749 (Word 97) contain detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
Microsoft Knowledge Base articles
<http://www.microsoft.com/technet/support/kb.asp?ID=274226> Q274226
(Word
2000) and <http://www.microsoft.com/technet/support/kb.asp?ID=272749>
Q272749 (Word 97) provide a manifest of the files in the patch package.
The easiest way to verify that you've installed the patch correctly is
to
verify that these files are present on your computer, and have the same
sizes and creation dates as shown in the KB article.
--
Eko Sulistiono
MIKRODATA & AntiVirus Media
Web: http://www.mikrodata.co.id/
WAP: http://www.mikrodata.co.id/wap/index.wml
This message contains no viruses. Guaranteed by AVP.
------------------------------------------------------------------------
Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM)
Informasi : http:[EMAIL PROTECTED]
Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/
WAP : http://mikrodata.co.id/wap/index.wml
Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA.
Termasuk rubrik-rubrik yang ada di media lain.
Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah
tindakan kriminal.
Please check with the latest AVP update before you ask about virus:
ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
