Microsoft Security Bulletin MS01-034

Technical description:

Word, like other members of the Office product family, provides a security mechanism that requires the user's approval to run macros. By design, any time a document is opened Word scans it for macros. If any are found, they are handled in accordance with user's selected security settings. By default in Word 2000 and 2002, only macros that are signed by a trusted party are enabled; all others are disabled. In Word 97, if the document contains macros, the user is prompted regarding whether to enable them or disable them.

A vulnerability results because it is possible to modify a Word document in such a way as to prevent the security scanner from recognizing an embedded macro while still allowing it to execute. Exploiting the vulnerability would enable an attacker to cause a macro to run automatically when such a document was opened. Such a macro would be able to take any action that the user herself could take. This could include disabling the user's Word security settings so that subsequently-opened Word documents would no longer be checked for macros.

Many customers are already protected against this vulnerability. Specifically, the patches provided in Microsoft Security Bulletin MS01-028 for Word 2000, Word 97, Word 98 (J), Word 2001 for Macintosh, and Word 98 for Macintosh eliminate both the vulnerability discussed in MS01-028 as well as the vulnerability discussed here. Customers who have applied the patch provided in MS01-028 do not need to take any additional action. Word 2002 was not affected by the vulnerability discussed in MS01-028, so customers using Word 2002 should apply the patch provided below.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0501 

Tested Versions:

Microsoft tested Word 2002, Word 2000, Word 97, Word 98 (J), and Word 98/Word 2001 for Macintosh to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This vulnerability could enable an attacker to create a document that, when opened in Word, would run a macro without asking for the user's permission. Macros are able to take any action the user is capable of taking, and as a result this vulnerability could give an attacker an opportunity to take actions such as changing data, communicating with web sites, reformatting the hard drive or changing the Word security settings.
The vulnerability only affects Word - other members of the Office product family are not affected.

What causes the vulnerability?
The vulnerability results because it's possible to create a Word document to be malformed in such a way as to evade Word's normal macro security scans.

What's a macro?
In general, the term macro refers to a small program that automates commonly performed tasks within an operating system or an application. For instance, all members of the Office family of products support the use of macros. This allows, for instance, companies to develop macros that perform as sophisticated productivity tools running within Word, Excel, or other programs.
Like any computer program, though, macros can be misused. In particular, because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the user wants them to. In this case, however, there is a flaw in the security model, which can occur when opening the malformed document.

What's wrong with how Word scans documents for macros?
By design, any modification to a Word document that prevents Word from identifying embedded macros should also have the effect of corrupting the macros so that they cannot execute. The vulnerability results because this isn't true in one case. That is, it's possible to alter a Word document so that macros embedded within it won't be recognized as macros by Word's security architecture, but the part of Word that executes macros will still recognize them and run them.
It would not be possible to create such a document directly in Word. Instead, the attacker would need to perform low-level editing on a bona fide Word document, in order to introduce the needed malformations.

What could this enable an attacker to do?
An attacker could use this vulnerability to bypass the normal Word security model. Specifically, if he created a malformed document containing a macro and was able to persuade another user to open the Word file, the macro in the file would run without asking the user's permission.

What could the macro do?
The macro would be able to take any action that the user herself could take on her machine. This would include adding, changing or deleting files, communicating with a web site, reformatting the hard drive, and so forth.
It's worth noting that a macro also could change the user's security setting. This could include disabling macro protection. As a result, if the user were attacked via this vulnerability, one of the outcomes could be that the user's security settings would be reduced, and other macros that normally would be stopped by Word would now be able to run.

How would the attacker deliver the document to the other user?
The attacker would have a variety of options. He could host it on a web site or, if he had sufficient access, save it on a share. Likewise, he could target a particular user by sending it to her via e-mail or passing it to her on a floppy disk.

Does the vulnerability affect any Office products other than Word?
No. Though other Office applications use macros, Word is the only product affected by this vulnerability.

I heard that the patch provided in Microsoft Security Bulletin MS01-028 also eliminates this vulnerability. Is that true? 
Yes. In fact, the patch provided in MS01-028 is identical to the one provided here, for all affected products except Word 2002. (Word 2002 wasn't affected by the vulnerability in MS01-028, so there wasn't a Word 2002 patch in MS01-028). As a result, if you've applied the patch provided in MS01-028, you don't need to take any action to protect your system against the vulnerability discussed in this bulletin.

What does the patch do?
The patch eliminates the vulnerability by causing the correct macro checking to be performed even when opening a document that's been malformed in the way discussed above.

What is Word 98(J)?
Word 98(J) is a release of Word that is available only in Japanese. For all other languages, the version of Word immediately following Word 97 was Word 2000 -- there was no Word 98. In the special case of Japanese, however, there was an intermediate release between Word 97 and Word 2000, known as Word 98(J).

Download locations for this patch

Installation platforms:

•	The Word 2002 patch can be installed on systems running Word 2002 Gold.
•	The Word 2000 patch can be installed on systems running Word 2000 Service Release 1 or Service Pack 2.
•	The Word 97 patch can be installed on systems running Word 97 Gold or any Word 97 service release.
•	The Word 98(J) patch can be installed on systems running Word 98(J) Gold or any Word 98(J) service release.
•	The Word 2001 for Macintosh patch can be installed on systems running Microsoft Office 2001 Service Release 1.
•	The Word 98 for Macintosh patch can be installed on systems running the Combined Updater for Office 98.

Inclusion in future service packs:

The fix for this issue will be included in Word 2002 Service Pack 1. No future service packs or service releases are scheduled for any of the other affected products.

Reboot needed: No.

Superseded patches:

The patch provided herein is exactly the same as the one provided in Microsoft Security Bulletin MS01-028. The sole exception is the case of Word 2002; Word 2002 was not affected by the vulnerability discussed in MS01-028, so there is no patch for it in MS01-028.

Verifying patch installation: 

•	Word 2002: Verify that the version number of Winword.exe is 10.2930.2625.
•	Word 2000: Verify that the version number of Winword.exe is 9.00.00.5302.
•	Word 97: Select Help, then About Microsoft Word. If the patch has been installed, "QFE 8909" should be listed in the resulting dialogue.
•	Word 2001 for Macintosh: Select Help, then About Microsoft Word and verify that the version information reads "Word 9.0.2 (3411)".
•	Word 98 for Macintosh: Select Help, then About Microsoft Word and verify that the version information reads "Word 8.0 (8823)".

Caveats:

None

Localization:

Localized versions of this patch are available at the locations listed above in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section