Overview
Microsoft Office Web Components (OWC) allows a malicious script on a web page to learn if a file exists on the client's filesystem.
Description
OWC allows viewing of Microsoft Office documents such as spreadsheets and charts to be viewed within an HTML document in Microsoft Internet Explorer (IE). OWC is included with Microsoft Office and can also be downloaded for free from Microsoft's web site. By default, it is marked safe for scripting by ActiveX and other scripting components. The Load method of OWC's Chart component opens a file specified by a Uniform Resource Index (URI) without checking the validity of the URI. If the URI points to the client's local filesystem, the Load method will attempt to open the file at that location. If the file does not exist, the method will return an error. If the file exists, the method does not return the error. A malicious script can use the result to determine if the file exists. |
Impact
A malicious script can test any location on the client's filesystem for existence of files, thereby learning what files exist locally and on accessible network drives. |
Solution
The CERT/CC is currently unaware of patches or other software updates to resolve this problem. |
Remove OWC. If OWC was installed with Microsoft Office, choose "Add/Remove Components" from the Microsoft Office Setup interface. If OWC was installed separately from Office, choose "Add/Remove Programs" in Windows. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to GreyMagic Software for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
| CVE IDs: | None |
| Severity Metric: | 2.70 |
| Date Public: | 2002-04-08 |
| Date First Published: | 2002-09-24 |
| Date Last Updated: | 2002-09-24 15:51 UTC |
| Document Revision: | 8 |