Multiple Vulnerabilities in Microsoft Office Web Components
Internet Security Systems Security Alert August 22, 2002 Multiple Vulnerabilities in Microsoft Office Web Components Synopsis: Microsoft has released a security bulletin detailing multiple vulnerabilities in Office Web Components (OWC). OWC is a component of several Microsoft products and it provides Microsoft Office functionality within a Web browser. Impact: The OWC vulnerabilities can be exploited if a user visits a hostile Web page or if exploit code is delivered to a recipient via email. This vulnerability may allow a remote attacker to execute arbitrary commands on vulnerable systems without having authorized access. This vulnerability and others like it may be easily integrated into mass-emailing Internet worms. Affected Versions: Microsoft Office Web Components 2000 Microsoft Office Web Components 2002 Microsoft BackOffice Server 2000 Microsoft BizTalk Server 2000 Microsoft BizTalk Server 2002 Microsoft Commerce Server 2000 Microsoft Commerce Server 2002 Microsoft Internet Security and Acceleration Server 2000 Microsoft Money 2002 Microsoft Money 2003 Microsoft Office 2000 Microsoft Office XP Microsoft Project 2002 Microsoft Project Server 2002 Microsoft Small Business Server 2000 Description: Microsoft OWC integrates Microsoft Office with Microsoft¿s Web-enabled products. OWC is a lightweight ActiveX implementation that provides Web users with limited Microsoft Office functionality without relying on Office itself. Using OWC, Web users can view and manipulate Office documents without having Microsoft Office installed. Microsoft has disclosed information about the following four vulnerable functions within OWC: Host(). This function is called to provide the requesting user or document with access to Office functionality. A vulnerability in this function may allow attackers to execute arbitrary commands by way of a hostile Web site or an HTML email. LoadText(). LoadText is called to display text in a browser window. This function includes security checks to try to ensure that the function is not abused. These checks do not account for all circumstances, and a flaw can be exploited to allow attackers to view any file on the target system. Copy() and Paste(). These functions are used to manipulate the clipboard. Internet Explorer contains a flawed security check that can be circumvented to allow an attacker to view the contents of the clipboard. Recommendations: Microsoft has reported that proper configuration of ActiveX controls and security zones within Outlook and Outlook Express may mitigate the risk associated with the OWC vulnerabilities. Exploitation can be blocked if hostile Web sites are included in the ¿Restricted Zone,¿ which blocks ActiveX controls by default. Outlook 2002, Outlook Express 6.0, and previous versions of Outlook that have been patched with the Outlook Email Security Update render HTML email in the Restricted Zone by default. These email clients are not vulnerable. X-Force recommends that customers make their best effort to update and maintain the security of Web-enabled client software though the use of Windows Update. Previously distributed security updates as well as current versions of the affected software provide protection from the OWC vulnerabilities described in this advisory and may provide protection against future undiscovered issues. Internet Scanner X-Press Update 6.16 includes a check to assess the vulnerabilities described in this advisory. Detection support for these vulnerabilities will be provided in an upcoming update for RealSecure Network Sensor. Internet Scanner XPU 6.16 is available from the ISS Download Center at: http://www.iss.net/download. Microsoft has provided patch information in the Microsoft Security Bulletin MS02-44: http://www.microsoft.com/technet/security/bulletin/MS02-044.asp. Additional Information: ISS X-Force Database http://www.iss.net/security_center/static/8777.php http://www.iss.net/security_center/static/8778.php http://www.iss.net/security_center/static/8779.php http://www.iss.net/security_center/static/8784.php Microsoft Outlook Security Update http://office.microsoft.com/Downloads/2000/Out2ksec.aspx The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0727 Host() Vulnerability CAN-2002-0860 LoadText() Vulnerability CAN-2002-0861 Copy()/Paste() Vulnerability ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.