What's the scope of the vulnerability?
This vulnerability could enable an attacker to create a document that, when opened in Word, would run a macro without asking for the user's permission. Macros are able to take any action the user is capable of taking, and as a result this vulnerability could give an attacker an opportunity to take actions such as changing data, communicating with web sites, reformatting the hard drive or changing the Word security settings.
The vulnerability only affects Word - other members of the Office product family are not affected - and only when Rich Text Format documents are open. The vulnerability does not exist when opening Word documents. The vulnerability is not present in Word 2002, the version that ships as part of Office XP.
What causes the vulnerability?
The vulnerability results because, when opening a Rich Text Format document that is linked to a Word template, Word doesn't check the template for embedded macros.
What's Rich Text Format?
Rich Text Format (RTF) is a specification for encoding formatted text and graphics. The principal benefit of RTF is that it's supported by a number of word processors on a number of different platforms. For instance, if Joe uses Word on a PC to create RTF files, he could share them with Jane, who uses an entirely different word processor on a Macintosh. All versions of Word dating back to Word 1.0 natively support RTF.
Word can open and process RTF documents, and Word documents can be saved in RTF if desired. However, there is a security vulnerability involving the way Word opens such files, and this could allow macros to run without the user's permission.
What's a macro?
In general, the term macro refers to a small program that automates commonly performed tasks within an operating system or an application. For instance, all members of the Office family of products support the use of macros. This allows, for instance, companies to develop macros that perform sophisticated productivity tools running within Word, Excel, or other programs. Like any computer program, though, macros can be misused. In particular, because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the user wants them to. In this case, however, there is a flaw in the security model, which can occur when opening an RTF document that is linked to a template containing a macro.
What's a template?
A template can be thought of as a skeleton document. For instance, a template of a research paper might define the needed styles, include pre-built headers and footers, and include any required boilerplate text. When a user needs to create a new research paper, she could use the template as a foundation upon which to develop her actual paper. Examples of templates can be found in the Microsoft Office Template Gallery.
Like other documents, templates can contain macros. When Word is used to open a document that's based on a template, both the document and the template should be checked for macros. The vulnerability involves a case in which this isn't done correctly.
What's the vulnerability?
In the case where Word is used to open an RTF file, and the file contains a link to a template, only the RTF file is checked for macros. The template, which might also contain macros, is not checked.
What could this enable an attacker to do?
An attacker could use this vulnerability to bypass the normal Word security model. Specifically, if he created a template containing a macro, based on an RTF file on the template, and was able to persuade another user to open the RTF file, the macro in the template would run without asking the user's permission.
What could the macro do?
The macro would be able to take any action that the user herself could take on her machine. This would include adding, changing or deleting files, communicating with a web site, reformatting the hard drive, and so forth.
It's worth noting that a macro also could change the user's security setting. This could include disabling macro protection. As a result, if the user were attacked via this vulnerability, one of the outcomes could be that the user's security settings would be reduced, and other macros that normally would be stopped by Word would now be able to run.
How would the attacker deliver the document to the other user?
The attacker would have a variety of options. He could host it on a web site or, if he had sufficient access, save it on a share. Likewise, he could target a particular user by sending it to her via e-mail or passing it to her on a floppy disk.
If the attacker sent the RTF file to the other user, would he need to send the template with it?
Not necessarily. RTF and Word files don't have to be collocated with their associated templates. Instead, the template can reside on a remote location, and the document can link to it via a web (HTTP) connection. Thus, an attacker could create an RTF file that would link back to a template on his web site, thereby avoiding the need to send both the RTF file and the template to the user.
Suppose the user opened an RTF file, and then saved it as a Word file. If another user later opened the Word file, could it exploit the vulnerability?
No. The security settings work correctly when opening a Word document, even one that's linked to a template.
Does the vulnerability affect any Office products other than Word?
No. Word is the only Office product that can open RTF files, and as a result is the only Office product affected by the vulnerability.
Is Office XP affected by this vulnerability?
The soon to be released version of Word 2002 (the version of Word included in Office XP) is not affected by the vulnerability.
What does the patch do?
The patch eliminates the vulnerability by causing the correct macro checking to be performed even when opening an RTF file linked to a Word template.
