Overview
A malformed Microsoft Excel or PowerPoint document can bypass macro checking thereby allowing arbitrary code to be run on the target system.
Description
Microsoft Excel and PowerPoint scan documents when they are opened and check for the existence of macros. If the document contains macros, the user running Excel or PowerPoint is alerted and asked if they would like the macros to be run. Because Microsoft Excel and PowerPoint do not adequately detect macros, a user can unknowingly run macros containing malicious code when opening an Excel or PowerPoint document. There are several delivery mechanisms available to an intruder to execute this attack. The attacker could craft a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it and send it via electronic mail to a victim or multiple victims. Alternatively, the attacker could host a specially formed Excel or PowerPoint document on a web site and offer it for download. Additionally, an attacker could deliver the malicious document via open file shares. According to the Microsoft Security Bulletin, the following versions of Excel and PowerPoint are affected:
Microsoft tested the following versions:
Versions of Excel and PowerPoint (or indeed, other products in the Office suite) prior to this may be affected, but are unsupported. For example, Symantec claims that Microsoft Office 97 and Microsoft Powerpoint 97 are vulnerable as well. Microsoft has not indicated whether or not Microsoft Excel 97 and Microsoft Powerpoint 97 are vulnerable. We are working with Microsoft to determine if these versions are indeed vulnerable as Symantec claims. Given the strong potential for widespread abuse of this problem, we strongly recommend that you apply patches as soon as you are able. A similar problem was responsible for the Melissa virus in March of 1999, for example. For more informaiton, see http://www.cert.org/advisories/CA-1999-04.html Additional information is available from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp |
Impact
An attacker could craft a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it and send it via electronic mail to a victim or multiple victims. Alternatively, the attacker could host a specially formed Excel or PowerPoint document on a web site and offer it for download. Additionally, an attacker could deliver the malicious document via open file shares. |
Solution
Apply a patch from your vendor. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.microsoft.com/technet/security/bulletin/MS01-050.asp
- Microsoft Excel 2000 for Windows:
- http://download.microsoft.com/download/excel2000/e2kmac/1/w98nt42kme/en-us/e2kmac.exe
- Microsoft Excel 2002 for Windows:
- http://download.microsoft.com/download/excel2002/exc1001/1/w98nt42kme/en-us/exc1001.exe
- Microsoft Excel 98 for Macintosh:
- http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
- Microsoft Excel 2001 for Macintosh:
- http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
- Microsoft PowerPoint 2000 for Windows:
- http://download.microsoft.com/download/powerpoint2000/p2kmac/1/w98nt42kme/en-us/p2kmac.exe
- Microsoft PowerPoint 2002 for Windows:
- http://download.microsoft.com/download/powerpoint2002/ppt1001/1/w98nt42kme/en-us/ppt1001.exe
- Microsoft PowerPoint 98 for Macintosh:
- http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
- Microsoft PowerPoint 2001 for Macintosh:
- http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
- http://www.securityfocus.com/bid/3402
Acknowledgements
This document was written by Ian A. Finlay.
Other Information
| CVE IDs: | CVE-2001-0718 |
| Severity Metric: | 23.29 |
| Date Public: | 2001-10-04 |
| Date First Published: | 2001-10-08 |
| Date Last Updated: | 2004-04-30 19:48 UTC |
| Document Revision: | 22 |