Alert:OFFICE OWC VULNERABILITIES

[zigar]

INFORMATION ALERT


AN EMERGING ISSUE WITH:
MICROSOFT OFFICE 2000 AND XP
OFFICE WEB COMPONENT (OWC) VULNERABILITIES


SEVERITY:
Medium

DATE:
April 9, 2002


SUMMARY:

In posts to Bugtraq on April 8, Greymagic Software described four
vulnerabilities in the Office Web Components (OWC) shipped with
Microsoft Office 2000 and XP. Malicious Website administrators could
exploit these flaws to verify that local files exist, read those
local files, gain unauthorized access to your local clipboard, and
execute unauthorized scripts. There is no direct impact on
WatchGuard products. Administrators using Office 2000 or XP within
their network may want to follow the workaround below until patches
becomes available.


EXPOSURE:

Office Web Components (OWC) are a group of scripting components used
to embed Microsoft Office content into Web pages. OWC comes with
Microsoft Office and is also available as a free download from
Microsoft's Website.

On April 8, GreyMagic Software released four advisories concerning
security vulnerabilities in OWC for Office 2000 and XP:

1. The first advisory <http://sec.greymagic.com/adv/gm005-ie/>
concerns a flaw in Office XP's OWC10 that allows a malicious
Website to execute unauthorized scripts. A hacker could craft a
Website that, when visited, would execute a dangerous script
even if you had active scripting disabled. Javascripts and
VBscripts are often used in viruses to deliver some kind of
damaging payload. Malicious scripts can cause all sorts of havoc
on your machine.

2. The second advisory <http://sec.greymagic.com/adv/gm006-ie/>
describes a vulnerability in OWC that allows a malicious Website
to read files on your local system. This vulnerability affects
both Office 2000's OWC9 and Office XP's OWC10. A hacker could
craft a malicious Website that, when visited, would read specific
files on your local hard drive. The hacker would need to know the
name and location of a file in order to read it. The hacker might
use this attack to read your sensitive business files or gain
extra system knowledge for use in further attacks.

3. The third advisory <http://sec.greymagic.com/adv/gm007-ie/>
details a flaw in OWC that would give a malicious Website
unauthorized control over your local clipboard. This
vulnerability affects both Office 2000's OWC9 and Office XP's
OWC10. A configurable feature in Internet Explorer (IE) allows
Websites access to your clipboard. However, GreyMagic has found a
way to read and write to the clipboard even when the feature is
disabled. By enticing you to his maliciously crafted Website, a
hacker could monitor your clipboard in hopes of learning private
information. However, he is limited to reading only what you copy
to your clipboard.

4. The final advisory <http://sec.greymagic.com/adv/gm008-ie/>
explains multiple flaws in OWC that allows attackers to learn if
certain files exists on your hard drive. This vulnerability
affects both Office 2000's OWC9 and Office XP's OWC10. A hacker
could craft a malicious Website that, when visited, would attempt
to access a specific file. If this action didn't produce an
error, the hacker would know the file exists. In itself, this
vulnerability is fairly useless. However, once a hacker knows a
certain file exists he could combine this knowledge with the
second vulnerability and read the contents of that specific file.

Any of these attacks might also work if sent as an HTML e-mail that
the intended victim opens.


SOLUTION PATH:

As of yet, Microsoft has not made a patch available for this flaw.
However, you can prevent all four of these vulnerabilities by
disabling ActiveX controls and plug-ins in IE. Keep in mind, this
change also prevents other Web components, like Flash, from working.

To disable ActiveX controls and plug-ins in IE, click Tools =>
Internet Options => Security tab. Select the Internet Zone and press
the Custom Level button. Scroll down to the setting "Run ActiveX
controls and plug-ins" and choose "Disable." Click OK twice and
you're done.

[gstudios]

Thanks Zigar!