Date: 09 October 2001
References: ESB-2001.411
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.419 -- CERT Advisory CA-2001-28
Automatic Execution of Macros
9 October 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Excel 2000 and 2002 for Windows
Excel 98 and 2001 for Macintosh
PowerPoint 2000 and 2002 for Windows
PowerPoint 98 and 2001 for Macintosh
Vendor: Microsoft
Operating System: Windows
Macintosh
Impact: Execute Arbitrary Code/Commands
Ref: ESB-2001.411
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-28 Automatic Execution of Macros
Original release date: October 08, 2001
Last revised: -- Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Systems running:
* Windows
+ Microsoft Excel 2000
+ Microsoft Excel 2002
+ Microsoft PowerPoint 2000
+ Microsoft PowerPoint 2002
* Macintosh
+ Microsoft Excel 98
+ Microsoft Excel 2001
+ Microsoft PowerPoint 98
+ Microsoft PowerPoint 2001
Overview
An intruder can include a specially crafted macro in a Microsoft
Excel or PowerPoint document that can avoid detection and run
automatically regardless of the security settings specified by the
user.
I. Description
Microsoft Excel and PowerPoint scan documents when they are opened
and check for the existence of macros. If the document contains
macros, the user running Excel or PowerPoint is alerted and asked
if he would like the macros to be run. However, Microsoft Excel and
PowerPoint may not detect malformed macros, so a user can
unknowingly run macros containing malicious code when opening an
Excel or PowerPoint document.
An intruder who can entice or deceive a victim into opening a
document using a vulnerable version of Excel or PowerPoint could
take any action the victim could take, including, but not limited
to
* reading, deleting, or modifying data, either locally or on open
file shares
* modifying security settings (including macro virus protection
settings)
* sending electronic mail
* posting data to or retrieving data from web sites
For more information, please see
http://securityresponse.symantec.com/avcenter/security/Content/
2001.10.04.html
http://www.microsoft.com/technet/treeview/default.asp?url=/tech
net/security/bulletin/MS01-050.asp
Given the strong potential for widespread abuse of this
vulnerability, we strongly recommend that you apply patches as soon
as you are able. For example, the Melissa virus which spread in
March of 1999 used social engineering to convince victims to
execute a macro embedded in a Microsoft Word document. For more
information, see the CERT/CC Advisory listed below.
http://www.cert.org/advisories/CA-1999-04.html
As a general practice, everyone should be aware of the potential
damage that Trojan horses and other kinds of malicious code can
cause to any platform. For more information, see
http://www.cert.org/advisories/CA-1999-02.html
This vulnerability has been assigned the identifier CAN-2001-0718
by the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718
II. Impact
An attacker can execute arbitrary code on the target system with
the privileges of the victim running Excel or PowerPoint.
III. Solution
Apply a patch
Appendix A contains information from vendors who have provided
information for this advisory. We will update the appendix as we
receive more information. If a vendor's name does not appear, then
the CERT/CC did not hear from that vendor. Please contact your
vendor directly.
Until a patch can be applied, and as a general practice, we
recommend using caution when opening attachments. However, it is
important to note that relying on the "From" line in an electronic
mail message is not sufficient to authenticate the origin of the
document.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision
history. If a particular vendor is not listed below, we have not
received their comments.
Microsoft Corporation
See Microsoft Security Bulletin MS01-050
Appendix B. - References
1. http://securityresponse.symantec.com/avcenter/security/Content/200
1.10.04.html
2. http://www.microsoft.com/technet/treeview/default.asp?url=/technet
/security/bulletin/MS01-050.asp
3. http://www.kb.cert.org/vuls/id/287067
4. http://www.cert.org/advisories/CA-1999-04.html
5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718
_________________________________________________________________
_________________________________________________________________
The CERT Coordination Center thanks Peter Ferrie and Symantec
Security Response, who discovered this vulnerability and published
the information in their advisory. Additionally, we thank
Microsoft Corporation, who published an advisory on this issue.
_________________________________________________________________
Author: Ian A. Finlay and Shawn V. Hernan.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-28.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of
your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of
any kind with respect to freedom from patent, trademark, or
copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Revision History
October 8, 2001: initial release
- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBO8H+YKCVPMXQI2HJAQHlegP+P6LyxsV880PLmLoip+dUJs6LcMER+t7r
uNU4MABB66f7B8pLNUTHI4cSzTdkH2mYC/fzdro92Z1t5VNTlMAQ3V27WP03OrU6
BdbduoHCXVWZMHYe1otl8ePPwPDwdYvajlEUoXSeG97Jl3pbA5wcCCvBdnRvhREr
gSzpV7t53FU=
=B68T
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBO8Mjtih9+71yA2DNAQFunQP+K2Xte0X38pG9RRxSMYCQVVorWkvcg1Y6
J8xRC/JHmMTp+vGhPPRkJ/nysZ6aiDhx3KEzYy5LprQ7e0BGhVQDZvMZS1z3fjWq
NQb1roXX4dthBi2ipbqTyy7hhUMT2qyyCfBRxy2T/cLBdr598ETgKG/ta2ZmoZsz
sq8ikjBhVGY=
=Uqiq
-----END PGP SIGNATURE-----
|