Microsoft Security Bulletin (MS00-002): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-002 announces the availability of a patch that eliminates a vulnerability in the East Asian version of a utility included in Microsoft® Office products. The vulnerability could allow a malicious user to cause code of his or her choice to run on the machine of a user who opened a specially-modified Word document. Microsoft is committed to keeping customers' information safe, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability, and affects a utility that converts Word version 5 documents into more recent formats. A malicious user could exploit this vulnerability in order to cause arbitrary code to run on the machine of a person who opened a specially-modified Word document using an affected version of the utility. If the attack was successful, the malicious user's code could take any desired action on the other person's computer. This could include creating, modifying or deleting files, reformatting the hard drive, or sending data to or downloading data from a web site.
The vulnerability affects only the converter that processes East Asian language sets -- Japanese, Korean, Simplified Chinese and Traditional Chinese -- and only the Windows version of these. Customers using any other version of the converter are not affected by the vulnerability.
What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in East Asian version of the converter. By inserting specially-malformed information into a Word 5 document, a malicious user could cause code to be run via a classic buffer overrun technique when an affected converter processed it.
What causes the convert utility to run?
The converter runs automatically when a Word 5 document is opened using Word, or imported into a Powerpoint presentation.
How would an attack via this vulnerability be mounted?
There would be three steps required in an attack via this vulnerability.
| • | The malicious user would need to modify a Word document to include the specific type of malformed data at issue. |
| • | He or she would need to give the document to someone who was using an affected version of the converter. This could be done by emailing the document or providing it via a floppy disk or network share. |
| • | The recipient of the document would need to open it. |
How would the malicious user insert the malformed data?
He or she would need to edit the document's source code. This would most likely be done via either a hexadecimal editor or special-purpose program. The malformation at issue here cannot occur through normal use, and could not happen accidentally.
Is there any way for a malicious user to force an affected converter to run?
No. The converter only runs when opening a Word document in version 5 format, and Word documents will open only if you choose to open them.
I'm running a version of the converter that is not affected by the vulnerability. What would happen if I opened a document with the malformed information at issue here?
You'd be unable to open the document successfully because of the malformed data in it, but there would be no security risk. The vulnerability only exists when opening such a file using an East Asian version of the converter.
What does the patch do?
The patch causes the converter to treat the specific malformation at issue here as an error condition. This is correct behavior, as the malformed data is invalid and cannot be processed in a meaningful way.
Who needs to apply the patch?
The security bulletin provides a comprehensive listing of affected products. However, as a general recommendation, you should apply the patch if you are running on a Windows platform and any of the following is true:
| • | You've installed the Japanese, Korean, Simplified Chinese or Traditional Chinese versions of Word or Powerpoint for Windows, whether as a stand-alone product or as part of a suite, you should apply the patch. |
| • | You've installed Office 2000 with Multilanguage Pack. |
| • | You've installed the East Asian Word 5 converter as part of Microsoft Converter Pack 2000. |
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Use the following table to verify that you've installed the patch correctly.
| You've installed the patch correctly if WWORD5.CNV has the following properties... |
Date: January 07, 2000 Size: 197,120 bytes |
What is Microsoft doing about this issue?
Microsoft has developed a patch that eliminates the vulnerability.
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued Knowledge Base articles explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
