New Office XP Vulnerability

[zigar]

NFORMATION ALERT


AN EMERGING ISSUE WITH:
MICROSOFT OFFICE XP


SEVERITY:
Medium

DATE:
April 3, 2002


SUMMARY:

In a post to Bugtraq on April 2, security researcher Georgi Guninski
described two security vulnerabilities involving components of
Microsoft Office XP. The first results in the unexpected execution
of hostile scripts on your system; the second allows an attacker to
deliver executable files to your hard drive. A hacker could combine
these vulnerabilities, craft a malicious e-mail, then deliver and
run malicious code intended to take over your system. There is no
direct impact on WatchGuard products. If you use Microsoft Office XP
in your network, consider implementing the workarounds described
below until a patch becomes available.


EXPOSURE:

Guninski describes two Microsoft Office XP vulnerabilities in his
advisory <http://www.guninski.com/m$oxp-2.html>:

1. Guninski found that it is possible to embed a script within an
HTML formatted e-mail so that the script executes without warning
when a user receives the e-mail in Outlook XP, then replies to or
forwards it. A hacker could use this vulnerability to force
victim systems to execute a malicious HTML script. This would
most likely result in pranks that are more annoying than
damaging, such as changing your browser's home page to an
offensive site, popping up a hundred browser windows, or popping
up a dialog box that will not go away. The greater danger is that
the script could drive your browser to some designated malicious
Web page, where Trojan code could be loaded onto your machine.

2. Guninski also found a vulnerability in Office XP's spreadsheet
component, the code that embeds Excel spreadsheets into HTML and
Office documents. A flawed function within this component allows
a hacker to write an arbitrary file to a specific location on
your hard drive. A hacker could exploit this flaw by sending you
an HTML e-mail with an embedded spreadsheet that would write a
malicious program into your Windows startup directory.

According to Guninski, a hacker can combine these vulnerabilities to
take over your system. For instance, a hacker could craft a
malicious HTML e-mail containing an embedded spreadsheet. If you
replied to or forwarded the malicious e-mail, a script would execute
and the spreadsheet component would write a Trojan to your startup
directory. The next time you booted your computer, the hacker would
have total control of your system.


SOLUTION PATH:

Microsoft has not yet released a patch for these two
vulnerabilities. However, Microsoft states (and WatchGuard testing
verifies) that you can avoid the Outlook XP script execution
vulnerability by disabling Word as your default e-mail editor. In
Outlook XP, go to Tools => Options => Mail Format tab and uncheck
"Use Microsoft Word to edit e-mail messages." After you do this,
scripts will not be able to execute when you reply to or forward
messages.

There is no known, verified workaround for the Office XP spreadsheet
component vulnerability.

[meister]

"...Microsoft has not yet released a patch for these two vulnerabilities..."
as always...

thx for the warning...

-------------------------------------------------------------------
"Knowledge is the Real Power"

[Dr Toker]

Cool