Microsoft Security Bulletin (MS98-005)

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Date: Mon, 20 Jul 1998 10:04:46 -0700
From: Microsoft Product Security Response Team <secure () MICROSOFT COM>
To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
Subject: Microsoft Security Bulletin (MS98-005)

Microsoft Security Bulletin (MS98-005)

------------------------------------------------------------------------

Unwanted Data Issue with Office 98 for the Macintosh

Last Revision: July 17, 1998

Summary
=======
Recently Microsoft was notified of an issue affecting the way files are
stored to local disks in Microsoft Office 98 for the Macintosh. When Office
98 for the Macintosh creates a file on the localdisk for storage, it is
possible that a small amount of random data from a previously deleted file
could become embedded in the Office 98 file.

While the likelihood of revealing sensitive information is low, if this file
were then sent to another user, it could possibly expose data from a
previously deleted file on the sender's system.

The purpose of this bulletin is to inform Microsoft customers of this issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further secure its customers.

Issue
=====
The problem is caused by the way Office 98 allocates space on a disk for
local file storage. The Mac OS -- like many other OS' file systems -- does
not erase files when you delete them, it simply removes a reference to them
in the disk's catalog, and marks the space they occupied as "free." Office
98 does not clear the disk space when the Mac OS allocates it during a File
Save operation. Instead, Office 98 simply writes the file contents to the
allocated disk space, overwriting any random data that physically existed on
the disk. Since the Mac OS allocates the disk space in set chunks, called
clusters, the small amount of unused space at the end of the file's last
cluster may contain random data from previously-deleted files. The data
cannot be viewed when opened as a native Office file. However, an ASCII text
editor can be used to view the extraneous data.

The chance that sensitive data will be transferred through this bug is
unlikely as multiple unusual scenarios must occur.

Affected Software Versions
==========================
 - Microsoft Office 98 for the Macintosh

What Microsoft is Doing
=======================
Microsoft has produced an update for Office 98 for the Macintosh that
completely eliminates this problem. This update is available from
Microsoft's web site, as well as from Microsoft Technical Support. It will
be included in all future updates of Office 98 for the Macintosh.

What customers should do
========================
Microsoft recommends that customers using Office 98 for the Macintosh
install the available Office 98 update, which can be downloaded from the
Office 98 for the Macintosh web site at http://www.microsoft.com/macoffice.

Previous versions of Office for the Macintosh are not affected.

Administrative workaround
=========================
Customers who cannot apply the hot fix can use the following workarounds to
temporarily address this issue:

 - This problem can be eliminated by using a third party disk utility
   for the Mac OS that completely erase files when they are deleted.
 - Users can save files to freshly formatted floppy disks to ensure
   that there is no unwanted data included with the file.
 - This issue only affects files that are saved to a local Macintosh
   volume. By performing a "Save As..." operation from Office 98 and
   saving the file to network volume, such a to a Windows NT Server
   running Services for Macintosh, any random data at the end of the
   file will be removed.

More Information
================
Please see the following references for more information related to this
issue.

 - Microsoft Security Bulletin 98-005, Unwanted Data Issue with Office
   98 for the Macintosh (the web-posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-005..htm
 - Microsoft MacOffice web site, http://www.microsoft.com/macoffice

Revisions
=========
 - July 17, 1998: Bulletin Created

For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security

------------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.