Microsoft Security Bulletin (MS00-022): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-022 announces the availability of a patch that eliminates a vulnerability in Microsoft® Excel. The vulnerability could allow a macro to run without warning the user. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability provides a way for an Excel macro to run without generating the usual warning notice to the user. A malicious user could create a text file containing Excel macro commands, and embed commands in a spreadsheet that, if executed, would launch the macro without asking the user for permission.
The vulnerability is limited in two chief ways. First, it does not provide any way for a malicious user to force the user to open the spreadsheet. Second, even if the user did open the spreadsheet, an affected macro could only execute if the user could be persuade to launch it.
What kind of security features does Excel provide for macros?
Security is an important consideration when using macros. By design, a running macro can take any action on a system that the user himself could take. For example, a macro, once running, could add, change or delete files, reformat the hard drive, or communicate with a web site
Excel lets each user decide under what conditions macros will be allowed to run. By selecting Tools, then Macro, then Security, the user can select any of three ways to handle macros:
| • | High security. Macros that have been digitally signed by someone the user trusts can run, but all other macros are prevented from running. |
| • | Medium security. Macros that have been digitally signed by someone the user trusts can run, but all others will generate a warning dialogue that asks for the user's permission before running. (This is the default setting). |
| • | Low security. All macros are allowed to run without warning. (This is not a recommended setting). |
This vulnerability affects the types of warnings that users with security set to medium would see, and the conditions under which they would see them.
If I've selected Medium Security, what kind of warnings should I see?
You should see two types of warnings. First, when Excel opens a spreadsheet, it scans the spreadsheet to see if it contains any macros, and asks whether to disable them or not. This warning mechanism is not affected by the vulnerability.
The second type of warning occurs if you click on a link that tries to run a macro located outside of the spreadsheet - for instance, in another spreadsheet. By design, Excel should display a warning and ask you to confirm that you do want to run the macro. However, under certain conditions, it's possible for a malicious user to create a macro that, when called by a spreadsheet, won't generate the expect warning message.
Under what conditions would the warning not be generated?
Excel generates the expected warning when the user clicks on a link that runs a macro in another spreadsheet. However, if the link runs a macro that's located in a text file, the expected warning isn't generated.
How could a macro be created in a text file?
If a text file contains Excel 4.0 Macro Language (XLM) commands, and is opened using a command that expects to open a macro, Excel will parse and execute the macro commands in the text file.
How would the malicious user get such a spreadsheet onto a user's machine?
This vulnerability does not provide any way to place a spreadsheet, and the text file containing the macro, on another user's machine. The malicious user would need to persuade or entice the user into downloading the files onto his machine by emailing them to him, hosting them for download on a web site, or some other means. Microsoft strongly recommends that users never download programs or files from untrusted sources.
If the user downloaded the spreadsheet, how would the malicious user get the user to open it?
This vulnerability does not provide any way to remotely open a spreadsheet. The malicious user would need to persuade or entice the user into opening it. This would be a matter of social engineering - packaging the spreadsheet in a way that convinces the user to open it.
If the user opened the spreadsheet, could the macro launch automatically?
No. There is no way to "autolaunch" such a macro. The malicious user would need to persuade or entice the user into clicking on a link to run the macro.
Does this vulnerability change the way a macro operates?
No. The only aspect of a macro's behavior that is affected by this vulnerability is whether or not it generates a warning before it runs. Once run, such a macro would have no more and no fewer capabilities than any other macro.
Could this vulnerability be exploited accidentally?
It's extremely unlikely that this vulnerability would be exploited accidentally. It involves packaging very specific commands in a very specific, unusual, way.
Does this vulnerability affect any other members of the Office family?
No. Only Excel is affected
What does the patch do?
The patch restores proper operation, by ensuring that any operation that runs a macro generates the expected warning.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
Excel 97 customers can confirm that they have installed the latest patch for Excel 97 correctly by referring to the KB article 232652.
Excel 2000 customers can confirm that they have installed the patch correctly by confirming that they have installed Office SR1. To do this, choose Help, then About Excel, and verify that the dialogue box indicates that SR1 is installed.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued Knowledge Base articles explaining the vulnerability and patch in more detail. See the More Information section of the security bulletin for specific references. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
