Microsoft Security Bulletin MS01-050

Technical description:

Excel and PowerPoint have a macro security framework that controls the execution of macros and prevents macros from running automatically. Under this framework, any time a user opens a document the document is scanned for the presence of macros. If a document contains macros, the user is notified and asked if he wants to run the macros or the macros are disabled entirely, depending on the security setting. A flaw exists in the way macros are detected that can allow a malicious user to bypass macro checking.

A malicious attacker could attempt to exploit this vulnerability by crafting a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it. The attacker could carry out this attack by hosting the malicious file on a web site, a file share, or by sending it through email.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0718 

Tested Versions:

Microsoft tested the following products to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This vulnerability could enable a malicious user to create specially formed Excel or PowerPoint files that would bypass macro security and execute automatically when the document is opened. Because macros by design can take any action that the user is able to take, this vulnerability could allow an attacker to take actions such as changing or deleting data, communicating with web sites, or changing the macro security settings.
This would not be able to take any actions that the user is not normally capable of. As such, access controls that limit the user's abilities would also limit the ability of the malicious documents. Further, a successful attack would require that the user open the malicious document. Best practices recommend that users not open documents from unknown or untrusted sources.

What causes the vulnerability?
The vulnerability results because the macro detecting framework can fail to detect all instances in which the macro processor can execute macro commands. When a valid document is intentionally designed to obfuscate the presence of macros, it is still possible for those marcos to execute.

What are macros?
Macros are small programs within applications such as Excel and PowerPoint. When macros run, they can take actions within the application or the operating system as if they were the user. An example of a simple action a macro might take in an application would be to find and replace text within a document. A more sophisticated macro might include features that perform automatic formatting on a document, copy files from the local system to the network, and send review copies by email.
Because macros are really small programs, it is possible for attackers to create malicious macros that take undesirable actions, such as deleting files, sending unwanted messages by email, or changing the data in documents. To help protect against malicious macros, Excel and PowerPoint have a security model that prevent macros from executing without warning.

What's wrong with the macro protection in Excel and PowerPoint?
It is possible for a malicious user to create a specially malformed Excel or PowerPoint document that would bypass the macro protections and allow macros to execute automatically.

Is it possible to create a document like this by accident?
No. It is not possible to create a document that bypasses macro protection by accident. It would require very specific, detailed knowledge and such a document would have to be specifically constructed with malicious intent.

What could an attacker use this vulnerability to do?
This could allow an attacker to craft a malicious document with macro code that would run automatically when the user opened the document.

What actions could the malicious document take?
Because macros take action on behalf of the user, a macro virus that ran would be able to take actions that the user himself is able to take, including changing or deleting files, sending data to external web sites, or reformatting the hard drive.
It's important to highlight that this means that it is possible for a macro virus to reset the user's security settings. A successful macro virus attack could leave a system vulnerable to future attack by disabling the security settings.

How would an attacker carry out an attack against this vulnerability?
An attacker could carry out an attack by several different routes. She could host a malicious document on a web site internally or on the Internet. She could place a malicious document on any file server to which she had appropriate permissions. Additionally, she could target specific individuals by sending a copy through email.
It's important to note that all attempts to carry out an attack require the potential victim to open the document. It is not possible to exploit this vulnerability without the user's action. Opening documents only from known, trusted sources will help to protect against an attempt to maliciously exploit this vulnerability.

What does the patch do?
The patch eliminates the vulnerability by improving the code which detects the presence of macros in these document types.

Who should apply the patch?
Anyone using or administering systems running the affected software versions should apply the patch

I'm running Excel 97 and/or PowerPoint 97, does this issue affect me?
First, it's important to understand that Excel and PowerPoint 97 do not have the same macro security framework as Excel and PowerPoint 2000 and 2002. The Excel and PowerPoint 97 macro security framework lacks many key features that the 2000 and 2002 macro security framework has, including a digital signature trust model that allows trusted, signed macros to be differentiated from untrusted, unsigned macros. Under this older framework, it is difficult for a user to make an informed decision regarding the trustworthiness of macros.
In addition, as noted under "Tested Versions", Excel and PowerPoint 97 are no longer supported products.
Because of these two issues, customers who are concerned about macro security are urged to upgrade to a support version with a more robust macro security model.

Are other members of the Office Suite vulnerable?
No. All members of the Office Suites for Windows and Macintosh were tested. No other products in the Office Suite were found to be vulnerable.

Download locations for this patch

Installation platforms:

These patches can be installed on systems running Excel or PowerPoint 2000 SR-1 or SP2 for Windows and systems running Excel or PowerPoint 98 or 2001 for Macintosh.

Inclusion in future service packs:

The fix for this issue will be included in Office XP Service Pack 1.

Reboot needed:No

Superseded patches: None.

Verifying patch installation: 

•	Microsoft Excel 2000 for Windows: Verify that the version number of excel.exe is 9.0.0.5519
•	Microsoft Excel 2002 for Windows: Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 10.3207.2625.
•	Microsoft PowerPoint 2000 for Windows: Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 9.0.5519.
•	Microsoft PowerPoint 2002 for Windows: Select the Help menu, and choose "About", and verify that the version shown in the dialogue is 10.3207.2625.
•	Microsoft Excel and PowerPoint 98 for Macintosh: Select the file in the Finder, From the File menu, choose "Get Info", and verify that the version shown is 9.0.1 (3618).
•	Microsoft Excel and PowerPoint 2001 for Macintosh: Select the file in the Finder, From the File menu, choose "Get Info", and verify that the description shown is "2001 Security Update".

Caveats:

None

Localization:

The patches provided above are appropriate for use on any language version

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section