Microsoft Security Bulletin (MS99-044): Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates two vulnerabilities in Microsoft® Excel 97 and 2000 that could allow a macro to bypass the usual security mechanism and run without warning. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerabilities?
All members of the Office family, including Excel, provide a security mechanism that prevent macros from running without your approval. Whenever you open an Office document that contains macros, a warning notice is displayed that tells you that the document contains macros and asks whether you want to disable them or not. Both of these vulnerabilities could allow a macro to be executed in Excel without warning.
The primary vulnerability is the "Excel SYLK" vulnerability, but this patch also eliminates another vulnerability involving the way Excel handles macros created by third-party products. Taken in their entirety, these two vulnerabilities, if exploited, could allow a macro to take any action on your computer that you yourself could take. Generally, this would include including creating, deleting or modifying data files, reformatting the hard drive, or copying data to or from a web site.
A malicious user could not attack you remotely using these vulnerabilities. He or she would need to provide you with a document that contained a macro that exploited either of these vulnerabilities, and persuade you to open it.
What are the vulnerabilities?
The primary vulnerability is the "Excel SYLK" vulnerability, which involves how Excel processes files saved in "Symbolic Link" (SYLK) format. SYLK files can contain macros, but Excel does not provide the usual macro warning when a SYLK file containing a macro is opened.
A second vulnerability eliminated by the patch addresses a vulnerability in the way Excel handles macros that were created by third-party software. Microsoft Office products, including Excel, can import files from many third-party office productivity, word processing, and other products. Some of these third-party products support macros, and enable the author of a file to embed macros in it. This vulnerability results when files created using two of these products, Quattro Pro and Lotus 1-2-3, are imported into Excel 97. Excel 97 does not correctly handle macros embedded in such files, and will run them without asking for your permission first. It is important to note that this vulnerability results solely because of an error in how Excel 97 processes these files, and does not represent a vulnerability in Quattro Pro or Lotus 1-2-3. The vulnerability does not exist in Excel 2000.
What are Symbolic Link files?
Symbolic Link format is one of the file formats supported by Microsoft Excel. Symbolic Link format saves the data in a simple, ASCII-based text format that is understood by many other spreadsheet and word processing packages. It's most frequently used when customers need to move data between software packages that doesn't share any higher-level formats.
How does the patch correct the vulnerabilities?
The patch corrects the "Excel SYLK" vulnerability by extending the normal macro warning mechanism to macros contained in SYLK files.
The patch corrects the vulnerability affecting third-party macros by introducing a registry key that determines whether macros in imported Quattro Pro and Lotus 1-2-3 are enabled or disabled. By default, they are disabled. However, if desired, macros in imported Quattro Pro and Lotus 1-2-3 files can be re-enabled, but if this is done, the macros will run without warning. For more information on the registry key, see Microsoft Knowledge Base article 241900.
Who should apply the patch?
Customers using either Excel 97 or 2000 should apply the patch. Excel ships both as a stand-alone product and as part of Microsoft Office.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Use the following table to verify that you installed the patch correctly:
| If you are using this version of Excel... | You've installed the patch correctly if Excel.exe has these properties... |
Excel 97 | Date: December 04, 1999 |
Excel 2000 | Date: December 04, 1999 |
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued Knowledge Base articles explaining the vulnerabilities and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
