--------------FA8C3D76D288A1062891058C
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Received: from shadow.csufresno.edu (shadow [129.8.57.22])
by lennon.csufresno.edu (8.8.7/8.8.7) with ESMTP id SAA23322
for <dlw16@lennon.csufresno.edu>; Thu, 28 Jan 1999 18:36:13 -0800 (PST)
Received: from smtp.email.msn.com ([207.46.181.19])
by shadow.csufresno.edu (8.9.1/8.9.1) with ESMTP id SAA09497
for <dlw16@csufresno.edu>; Thu, 28 Jan 1999 18:36:15 -0800 (PST)
Received: from shiloh2 - 208.250.194.44 by email.msn.com with Microsoft SMTPSVC;
Thu, 28 Jan 1999 18:35:46 -0800
Message-ID: <000501be4b30$1e5a4b60$2cc2fad0@shiloh2>
From: "Fred Perry" <fred_perry@msn.com>
To: <keebnc@nccn.net>, <dlw16@csufresno.edu>
Subject: Fw: IE 4/5/Outlook + Word 97 security hole
Date: Thu, 28 Jan 1999 16:38:08 -0800
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3115.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Content-Type: text/plain;
charset="iso-8859-1"
X-Mozilla-Status2: 00000000
Further to our discussion re Windows "security:"
What he said....
-----Original Message-----
From: Vesselin Bontchev <bontchev@COMPLEX.IS>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Date: Wednesday, January 27, 1999 2:21 PM
Subject: IE 4/5/Outlook + Word 97 security hole
>Hello folks,
>
>This is not a strictly Windows NT issue - it affects Windows 9x users
>too. However, it is a very important one, so I decided to post about it
>here.
>
>Remember the so-called "Russian New Year" problem in Excel? Forget it;
>that was peanuts. Exploiting it required substantial knowledge of Excel,
>Windows programming, and assembly language (because the size of the
>programs that could be dropped was minimal). Not that uncommon
>combination, but one requiring at least some level of knowledge and
>experience from the attacker. This new problem can be exploited much,
>MUCH easier - and all the attacker has to know is Visual Basic for
>Applications.
>
>Essentially, if you are using Internet Explorer 4.x or 5.x and Word 97
>(the beta, the original release, SR-1, or the SR-2 patch), you are
>vulnerable. Vulnerable, in the sense that just visting a Web page can
>result in running a hostile VBA program on your machine without any
>warnings. If, in addition, you are using Outlook (any version of it),
>you are even more vulnerable - the attacker can run a hostile VBA
>program on your machine by just sending you an HTML e-mail message. (The
>hostile program will be run when you just VIEW the message - no need to
>click on any links.) The hostile program can do just about anything
>(drop a virus, delete files, steal information) - VBA is an extremely
>powerful language - and very easily.
>
>The problem consists of several parts. The first part is caused by the
>fact that by default IE 4.x/5.x automatically launches
>Word/Excel/PowerPoint to view URLs which point to DOC/XLS/PPT files (and
>all other file extensions for these applications). That is, you are not
>given the option to save the file to disk instead of opening it. If the
>file contains hostile macros, these macros could be executed by the
>respective application.
>
>Microsoft "protects" you from such attacks with the so-called built-in
>macro virus protection of the Office 97 versions of the applications
>mentioned above. That is, if the document you are trying to open
>contains any macros, the application will display a warning by default
>(this can be easily turned off) and will offer you the options to open
>the document as is, to open it without the macros (the default), or not
>to open it at all. Please note that this protection is available only in
>Office 97 - the previous versions of these applications do not have it
>(except the rare Word 7.0a). But they aren't vulnerable to the attack I
>am describing anyway.
>
>This protection has several problems. First of all, it often causes
>false positives - it sometimes triggers even when the document does not
>contain any macros. (I can elaborate when exactly this happens, if there
>is interest.) This often causes people to turn it off. Second, it
>doesn't tell you whether the document contains a virus or not - it just
>warns you about the generic presense of macros. Third, and worst of all,
>the Word 97 implementation of it contains a serious security hole.
>
>When Word 97 opens a document, the built-in macro virus protection
>checks this document for macros (VBA modules). However, it doesn't
>perform a similar check on the template this document is based on - and,
>if this template contains any auto macros, they will be executed when
>the document based on it is opened. Without any warnings whatsoever.
>
>I have discovered and documented this security hole more than two and a
>half years ago. I have reported it to Microsoft people at several
>anti-virus conferences. Microsoft did nothing about it - until recently.
>
>The third part of the problem is the most substantial one - the part
>which makes this attack easy to carry out remotely. Normally, I wouldn't
>have revealed the technical details about it. However, the bad guys have
>figured it out already - there is at least one Web site which tempts the
>user to click on a link allegedly containing a "list of sex sites
>passwords" and which uses this attack to infect the user's machine with
>a macro virus which infects both Word 97, Excel 97 and PowerPoint 97
>documents. :-(
>
>So, the third part of the problem is caused by the fact that when
>specifying the template a Word 97 document is based on, you can specify
>not just a local file but also an URL. The previous versions of Word do
>not have this capability, therefore they are not vulnerable to this
>attack.
>
>I had prepared a demonstration of the attack and it seems to have been
>impressive enough, because Microsoft reacted rather quickly this time -
>in about a week. They issued a patch which fixed the second part of the
>problem - with it, the built-in macro virus protection of Word 97 checks
>for macros not only the document that is being opened but also the
>template it is based on. Please see
>
> Microsoft Security Bulletin:
> http://www.microsoft.com/security/bulletins/ms99-002.asp
> Office Update Download Page:
> http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm
>
>for more information.
>
>Folks, if you are using IE 4.x/5.x and/or Outlook and Word 97, you
>_*MUST*_ install this patch! Otherwise your systems are WIDE opened and
>the security hole is *trivial* to exploit! Note, however, that the patch
>will install only on Word 97 SR-1 or SR-2. It will *not* install on the
>original Word 97. If you patch Word 97 SR-1, this will not prevent from
>patching it later to SR-2.
>
>I would also advise you to make the necessary changes so that IE offers
>you the option to save the remote DOC/DOT files instead of automatically
>launching Word to view them. In order to do this, start the Explorer
>(the file explorer, not IE), select View/Options/File Types, find the
>types Microsoft Word <anything> (where <anything> stands for Addin,
>Backup Document, Document, Template, Wizard and anything else you find
>there), select each one of them in sequence, click on the Edit button
>and make sure that the checkbox labeled "Confirm Open After Download"
>(near the bottom of the dialog that appears) is checked.
>
>And, in general, do not trust files with executable content received
>from dubious sources. Unfortunately, as Microsoft continues to blur the
>difference between your local hard disk and the Internet, problems like
>this one will only get worse. :-( I wonder when we'll see another
>Internet Worm based on a security hole like that... Connectivity is a
>good thing, but it has to rely on a sound security model - not on a
>bunch of patched-together last-minute ugly hacks which try to "protect"
>you by essentially telling you that "you are doing something, are you
>sure?".
>
>Regards,
>Vesselin
>--
>Vesselin Vladimirov Bontchev, not speaking for FRISK Software
International,
>Postholf 7180, IS-127, Reykjavik, Iceland producers of
F-PROT.
>e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
>PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE
4E
>
--------------FA8C3D76D288A1062891058C--