> Subject: Special Alert
> Resent-Date: Thu, 21 Jan 1999 16:07:26 -0800
> Resent-From: Mailing List Processor Account
> <sierra-adjunct@lists.professional.org>
> Date: Thu, 21 Jan 1999 16:06:55 -0800
> From: "Bob Keller" <oitsubob@ix.netcom.com>
> Reply-To: sierra-adjunct@lists.professional.org
> Organization: The Society for Greater Bandwidth
> To: sierra-adjunct@lists.professional.org
>
> This is not a hoax or a joke. This is serious, and I'm passing it on
> for
> everyone's information. The following article is from a respected
> source of
> MS Office-related information. Please read it carefully and act
> accordingly.
>
> ----begin forwarded message-----
>
> GAPING SECURITY HOLE IN IE/OUTLOOK AND OFFICE:
> Listen up, people. This is serious. Probably the most important
> article that's
> ever appeared in Woody's Office Watch.
>
> WOWser DavidF wrote to me last week with a masterful, amazing hack
> that
> exploits the largest Office security hole I've ever seen. No, I'm not
> going to
> tell you the details of how the security hole works (Microsoft will
> give some
> broad info) - and I sure as hell hope nobody else drops enough hints
> to teach
> some %$#@! idiot malware writer how to do it.
>
> But I will tell you what it does. If you have Office installed, and
> you use
> Internet Explorer to view an infected Web page, that page - without
> your
> knowledge, or any action on your part - can wreak havoc on your
> system.
>
> It can drop a virus, delete a folder, scramble data, send your tax
> files to
> Timbuktu... anything. Similarly, if you use Outlook 98 or later to
> view an
> infected HTML message, that message - with no action on your part -
> can do
> anything to your system.
>
> Anti-virus legend Dr. Vesselin Bontchev confirmed DavidF's report by
> showing me
> an HTML file that exploits the security hole. It's... scary. It's way
> too easy
> to exploit, unlike some more obscure security problems you don't have
> to be a
> 'rocket scientist' to spread trouble. For that reason, WOW has decided
> to be
> quick about warning our readers to get the protective patch before
> examples of
> this spread 'in the wild'.
>
> DavidF told me, "I'm a bit surprised this isn't more widely known. I
> notified
> the MSIE team of it long ago..." As in the past WOW has been able to
> bypass
> Microsoft's bureaucracy and quickly get the details to the people who
> matter.
>
> Once we passed along David's news to the right levels inside
> Microsoft, the
> offal hit the impellers, a team has been working day and night for the
> last few
> days to find a fix. Microsoft will be posting that fix in the next few
> hours.
> That's why we held off on sending WOW to you this week - to make sure
> the fix
> was ready and that it works. It does.
>
> Let me make this really clear. Every single Office user who also uses
> Internet
> Explorer or Outlook 98 or later, MUST INSTALL THIS PATCH. It's only a
> matter of
> time before some %$#@! cretin figures out how to exploit this hole.
> You - and
> everyone you know - needs protection NOW.
>
> There's actually TWO security patches out today. We're particularly
> concerned
> with the Word 97 Template patch, but you should get the Forms 2.0
> patch as
> well. More info on both problems below.
>
> WORD 97 TEMPLATE PATCH
> Microsoft Security Bulletin:
> http://www.microsoft.com/security/bulletins/ms99-002.asp
>
> Office Update Download Page:
> http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm
>
> FORMS 2.0 CONTROL PATCH
> Office Update Download Page:
> http://officeupdate.microsoft.com/downloaddetails/fm2paste.htm
>
> Microsoft Security Bulletin:
> http://www.microsoft.com/security/bulletins/ms99-001.asp
>
> Please. Take a few seconds to forward this article to everyone you
> know who
> doesn't subscribe to WOW. Urge them in no uncertain terms to get the
> patches,
> and apply them immediately.
>
> All I ask is that you keep this article intact - don't change it - and
> that you
> send it in its entirety. If there are any updates, we'll post them to
> http://www.wopr.com/ immediately.
>
> -----end forwarded message--------
>
> _\|/_
> (o o)
> -------oOO-(_)-OOo-------
>
> Bob Keller
> oitsubob@ix.netcom.com
> http://www.netcom.com/~oitsubob
>
> "Try to do something dangerous at least once a day."
> --- Kurt Vonnegut
Forward #2 - details and descriptions of patches
As a valued Office Enterprise Insider subscriber, we wanted you to be
aware
of three new patches (currently available or in development) that
address
issues in Microsoft Office. Two patches fix recently discovered Office
security issues, and the third will fix an Outlook archive fidelity
problem.
Read the following for a description of each Office product issue,
whether
you could be affected, and where you can go for more information or to
download the appropriate patch.
----------------------------------------------------------------------------
------
FORMS CONTROL SECURITY PATCH--NOW AVAILABLE AT OFFICE UPDATE
http://www.microsoft.com/security/bulletins/ms99-001.asp
The Forms Control Security Patch addresses a vulnerability that occurs
when
the Forms 2.0 Control (fm20*.dll) is available on a user's system. Forms
2.0
is a component object model (COM) component that developers use to
create
custom dialog boxes. This control is a part of Microsoft Visual Basic
for
Applications and is installed with Office 97, Microsoft Project 98,
Visual
Basic version 5.0, and third-party applications that license Visual
Basic.
Potentially, a malicious hacker could use the Forms 2.0 Control to read
or
export text on a user's Clipboard when that user visits a Web site or
opens
an HTML e-mail message created by the malicious hacker.
The Forms 2.0 Control Security Patch prevents a hacker from exploiting
this
vulnerability. If you install the patch, you will not lose Clipboard
functionality. In addition, the patch will not disable legitimate
solutions
built by developers using the Forms 2.0 Control.
Microsoft strongly recommends that all users of the affected programs
(listed above) download and install this patch.
Check back at the link listed above for information on international
versions of this patch.
----------------------------------------------------------------------------
------
WORD 97 TEMPLATE SECURITY PATCH--NOW AVAILABLE AT OFFICE UPDATE
http://www.microsoft.com/security/bulletins/ms99-002.asp
The Word 97 Template Security Patch addresses a vulnerability that
allows
malicious code to be run without warning when a user opens a Word 97
document. Currently, when you open a Word document that contains macros,
you
receive a warning message asking whether or not you want to enable the
macros. However, if a document that doesn't contain macros is linked to
a
template that contains macros, you do not receive a warning message. A
hacker could exploit this vulnerability by causing malicious code to be
run
without warning when a user visits a Web site or opens a Word document
attached to an e-mail message. This malicious code could be used to
damage
data on a user's system.
The Word 97 Template Security Patch prevents a hacker from exploiting
this
vulnerability. After you install the patch, if you open a Word document
linked to a template that contains macros, you will receive a warning
message. The patch will not disable your use of templates or macros on
templates.
Microsoft recommends that all Word 97 users download and install this
patch.
Check back at the link listed above for information on international
versions of this patch.
----------------------------------------------------------------------------
------
OUTLOOK ARCHIVE PATCH--COMING SOON TO OFFICE UPDATE
http://officeupdate.microsoft.com/articles/outlookarchpatch.htm
Outlook 97 and Outlook 98 users should be aware of an archive fidelity
issue
that may cause you to lose data during an archive process. If you
perform an
archive operation in Outlook and for an external reason your computer
fails
(for instance, if you lose power), some of the information being
archived
may be lost from both the original folder and the folder to which it was
being archived. During the archive process, there is a small amount of
time
when the archival information is only in memory before being written to
the
archive personal store (PST) file. Thus, if a computer failure occurs at
this exact time, the items that are in memory are lost.
A patch for this issue is currently in development and should be
available
for download next month. The patch will change the archive mechanism in
Outlook to ensure that archived items are fully written to disk before
they
are deleted from the source folder. After you download and install the
patch, you will not risk data loss should your computer fail in the
middle
of the archive process. This archive fidelity problem will also be
corrected
in future versions of Outlook. Check the link listed above for updated
information on the patch as it becomes available.
Prior to patch availability, you may want to refrain from using the
Archive
and AutoArchive features in Outlook.
Check back at the link listed above for information on international
versions of this patch.