Bugtraq mailing list archives

Re: (New ?) Macro security hole in Word 97

From: brok () RUBIKON PL (Bronek Kozicki)
Date: Sat, 22 Jul 2000 22:34:24 +0200


From: "Bongard, Dominique" <Bongard.Dominique () PMINTL CH>
Sent: Friday, July 21, 2000 9:46 AM

When the next user on my station opened word, the file was automatically
opened, and the macro executed without asking for any confirmation.


I have found the same problem on Windows 2000, running MS Word 2000 (without
SR1). Temp file was saved in my private TEMP directory, not system-wide. I
have international (Polish) version of Windows 2000 and Office 2000.

Together with another vulnerability ("Force Feeding" - bugtraqid 1394) this
could be very dangerous - simple HTML may put
Auto_Recovery_of_eat_me_now.asd
in user's temp directory. When he/she starts MS Word, it will be
executed, regardless of Word macro setting. I have not tested it - "force
feeding" does not work for me.

Regards

B.

Current thread:

Security Fix for Blackboard CourseInfo 4.0, (continued)
- - - Security Fix for Blackboard CourseInfo 4.0 aleph1 () securityfocus com (Jul 19)
    - [TL-Security-Announce] wu-ftpd TLSA2000014-1 Joe Little (Jul 19)
    - @stake iKey 1000 Security Advisory Kingpin (Jul 20)
    - Re: @stake iKey 1000 Security Advisory Darren Reed (Jul 20)
    - Security Update: DoS on gpm Technical Support (Jul 20)
  - Biometrics conference Farrow, Rik (Jul 17)
  - Re: CheckPoint FW1 BUG Brian Krahmer (Jul 17)
    - Re: CheckPoint FW1 BUG Nicolas FISCHBACH (Jul 18)
    - [Paper] Format bugs. Pascal Bouchareine (Jul 18)
    - (New ?) Macro security hole in Word 97 Bongard, Dominique (Jul 21)
    - Re: (New ?) Macro security hole in Word 97 Bronek Kozicki (Jul 22)
    - Jakarta-tomcat.../admin Scott Morris (Jul 21)
    - StackGuard with ... Re: [Paper] Format bugs. Alan DeKok (Jul 21)
    - [RHSA-2000:044-02] Updated PAM packages are available. bugzilla () REDHAT COM (Jul 21)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Theo de Raadt (Jul 21)
    - Roxen security alert: Problems with URLs containing null characters. Peter Bortas (Jul 21)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Brett Glass (Jul 21)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Greg A. Woods (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Brett Glass (Jul 25)
    - Re: StackGuard with ... Re: [Paper] Format bugs. mixter (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Linus Akesson (Jul 24)

(Thread continues...)