Microsoft Security Bulletin MS02-002

Technical description:

Office v. X contains a network-aware anti-piracy mechanism that detects multiple copies of Office using the same product identifier (PID) running on the local network. This feature, called the Network Product Identification (PID) Checker, announces Office's own unique product ID and listens for other announcements at regular intervals. If a duplicate PID is detected, Office shuts down.

A security vulnerability results because of a flaw in the Network PID Checker. Specifically, the Network PID Checker doesn't correctly handle a particular type of malformed announcement - receiving one causes the Network PID Checker to fail. When the Network PID fails like this, the Office v. X application will fail as well. If more than one Office v. X application was running when the packet was received, the first application launched during the session would fail. An attacker could use this vulnerability to cause other users' Office applications to fail, with the loss of any unsaved data. An attacker could craft and send this packet to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. This is a denial of service vulnerability, but has several mitigating factors can only one running application.

Vulnerability identifier: CAN-2002-0021 

Tested Versions:

Microsoft tested Microsoft Office X for Mac OS X, Microsoft Office 98 for Macintosh and Office 2001 for Macintosh to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user could use it to cause a running Office X application to fail, forcing the user to restart the application. Any unsaved data when the application crashed would be lost.
An attack would not affect the stability of the underlying operating system, nor allow an attacker to alter or delete data. Also, a successful attach could only cause one application to fail on a machine: specifically, the first Office v. X application loaded of those running when the attack occurs. All other Office v. X applications would continue to function normally.

What causes the vulnerability?
The vulnerability results because the network PID checking feature fails to handle exceptional circumstances properly.

What is Network PID Checking?
Each legally purchased and installed copy of Microsoft software has a unique Product Identifier (PID). This Identifier can be seen in most applications by going to "Help" "About". The unique PID is listed there.
Network Product Identification Checking is an anti-piracy feature new to Office X for OS X. When an Office X application starts, it announces its PID on the local network at regular intervals. It also listens on the local network for new PID announcements. If at any point, an installation of Office X detects a copy of its own PID, Office shuts down on both systems.

What's wrong with Network PID Checking?
There is an implementation flaw in the Network PID Checking feature. The Network PID checking fails to handle specially malformed network requests properly. When these circumstances occur or a specially malformed request is received, Office X does not handle the condition gracefully and fails.

How could an attacker exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by sending a specially crafted network packet one of two ways: they could attempt to send the packet directly to a single user's machine; or, they could attempt to send this packet to all the computers on a subnet by specifying a broadcast address.

How would an attack directed at a single user work?
To attack a single user's machine, the attacker would send the specially malformed packet to the user's IP address. The advantage of this type of attack is that he could mount an attack on any machine they could deliver an IP packet to. This would allow an attacker to potentially mount attacks over great distances.
However, to succeed, the attacker would need to know the IP address of the intended victim. In most cases, IP addresses are assigned by Dynamic Host Configuration Protocol (DHCP) and so a single machines IP address can change.
Also, a directed attack like this would have to use the destination ports that the Network PID Checker uses: 2222 and those greater than 3000. Most corporations block inbound traffic on high ports such as these as a best practice.

How would an attack directed at a broadcast or multicast address work?
To attack many users on a subnet, the attacker would send the specially malformed packet to that network's broadcast or multicast address. The advantage to this type of attack is that the attacker could deliver their malicious packet to all computers on a subnet, potentially causing many users' Office application to fail.
The disadvantage to this attack method is that most routers and firewalls do not forward multicast or broadcast packets. As a result, an attacker would most likely only be able to disrupt Office applications on a single network segment.

What could an attacker do via this vulnerability?
An attacker could cause the Office X applications on the victims machine to fail, forcing the user to restart. While any unsaved data would be lost, there would be no opportunity for the attacker to alter data. Additionally, an attacker could not run programs or destabilize the operating system in any way.

If several Office X applications were running when an attack was launched, would all of them fail?
No. Only the first application that a user had loaded would fail. Any other applications that were running at the time would continue to run normally. For example, if a user had starting Word and Excel in that order, and then received the malformed packet, Word would fail, but Excel would continue to function. The user could then restart Word, and continue working.

Is it possible for these circumstances or packets to occur by accident?
No In nearly every case, the network traffic or packets would have to be hand-crafted by a user with malicious intent.

I'm running Office on a PC. Could I be affected?
No. The network PID checking feature discussed is only available in Office v. X

I'm using Mac OS X, but I'm using a version of Office other than Office v. X. Could I be affected?
No. The network PID checking feature discussed is only available in Office v. X.

What does the patch do?
The patch eliminates the vulnerability by allowing the Network PID checker to operate successfully under exceptional circumstances and to discard malformed packets.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Microsoft Office v. X for Mac Gold

Reboot needed:No

Superseded patches: None.

Verifying patch installation: 

•	Inside the Microsoft Office X:Office folder, select: • Microsoft Component Plugin • ShMem.bundle
•	Select the file in the Finder, From the File menu, choose "Show Info", and verify that the version shown is "10.0.2 (1412)" for each.

Caveats:

None

Localization:

Localized versions of this patch are available at the Macintosh download site referenced above.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section