Full Disclosure mailing list archives

FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)

From: "Rainer Gerhards" <rgerhards () hq adiscon com>
Date: Thu, 4 Sep 2003 10:38:44 +0200

Excellent piece of Microsoft software...

Can't even install it on Word 2002 German on WinXP German. The patch
says (translated) "did not find the product expected". I then tried the
office update site. That fails with an general error, telling me I
should review my security settings.

Bottom line: nice patch, but can't install...

Am I now guilty of lazyness if I do not patch?

Anyone else with similar problems?

Rainer Gerhards

-----Original Message-----
From: Microsoft 
[mailto:0_51912_A303F73D-CBD5-4F48-8040-2B7DCAAAC7DF_DE@Newsle
tters.Microsoft.com] 
Sent: Thursday, September 04, 2003 6:41 AM
To: Rainer Gerhards
Subject: Microsoft Security Bulletin MS03-035: Flaw in 
Microsoft Word Could Enable Macros to Run Automatically(827653)

-----BEGIN PGP SIGNED MESSAGE-----

- -------------------------------------------------------------------
Title:     Flaw in Microsoft Word Could Enable Macros to Run 
           Automatically (827653)
Date:      September 3, 2003
Software:  Microsoft Word 97 
           Microsoft Word 98 (J) 
           Microsoft Word 2000 
           Microsoft Word 2002 
           Microsoft Works Suite 2001 
           Microsoft Works Suite 2002 
           Microsoft Works Suite 2003 
Impact:    Run macros without warning 
Max Risk:  Important
Bulletin:  MS03-035

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/technet/security/bulletin/MS03-035.asp 
http://www.microsoft.com/security/security_bulletins/MS03-035.asp

- -------------------------------------------------------------------

Issue:
======
A macro is a series of commands and instructions that can be 
grouped together as a single command to accomplish a task 
automatically. Microsoft Word supports the use of macros to allow 
the automation of commonly performed tasks. Since macros are 
executable code it is possible to misuse them, so Microsoft Word 
has a security model designed to validate whether a macro should be 
allowed to execute depending on the level of macro security the 
user has chosen.

A vulnerability exists because it is possible for an attacker to 
craft a malicious document that will bypass the macro security 
model. If the document was opened, this flaw could allow a 
malicious macro embedded in the document to be executed 
automatically, regardless of the level at which macro security is 
set. The malicious macro could take the same actions that the user 
had permissions to carry out, such as adding, changing or deleting 
data or files, communicating with a web site or formatting the hard 
drive. 

The vulnerability could only be exploited by an attacker who 
persuaded a user to open a malicious document - there is no way for 
an attacker to force a malicious document to be opened.

Mitigating Factors:
====================
 - The user must open the malicious document for an attacker to be 
   successful. An attacker cannot force the document to be opened 
   automatically. 

 - The vulnerability cannot be exploited automatically through e- 
   mail. A user must open an attachment sent in e-mail for an e-
   mail borne attack to be successful. 

 - By default, Outlook 2002 block programmatic access to the 
   Address Book. In addition, Outlook 98 and 2000 block 
   programmatic access to the Outlook Address Book if the Outlook 
   Email Security Update has been installed. Customers who use any 
   of these products would not be at risk of propagating an e-mail 
   borne attack that attempted to exploit this vulnerability. 

 - The vulnerability only affects Microsoft Word - other members of  
   the Office product family are not affected. 

Risk Rating:
============
 -Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at

  http://www.microsoft.com/technet/security/bulletin/MS03-035.asp 
  http://www.microsoft.com/security/security_bulletins/MS03-035.asp

   for information on obtaining this patch.

Acknowledgment:
===============
 - Jim Bassett of Practitioners Publishing Company 
(http://www.ppcnet.com)
- -------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES 
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO 
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR 
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP1UvR40ZSRQxA/UrAQE0jwf8Dzm8/NCPSiH+BP7ePKRl66a9rawIDdlu
V+52lARZNbRkBNU00U8ImEzilgfIbgj0HZkcb4GpaQLUsPbYSuyiyu9PrKn0i+/j
JTaZOg48YJYZzhFOq+drUAMmwMQAkD3xb9fCrSxqET4/K4/55qiJW5uyOlH9RZ3K
BS6fhpmrQhOHGRU1gxWDbnRwWZmaqqMCr4WlGJZKZRH3L6kXwEfoH77Xq/v8BiXC
y0a6YqMpmA/Jd3Dpx8ByQBMTEfr2eHmMR9WDBowCip4iQ+p/Qorn8q6JpVlm8mhr
G+fCshh3bCiniTX5cXt+9B4yVqnpYXHefB0Vt5mfi6/bavgbiqdt4A==
=ZJEd
-----END PGP SIGNATURE-----

*******************************************************************

You have received this e-mail bulletin because of your 
subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit 
http://www.microsoft.com/technet/security/noti> fy.asp.

To 
verify the digital signature on this bulletin, 
please download our PGP key at 
http://www.microsoft.com/technet/security/noti> fy.asp.

To 
unsubscribe from the Microsoft Security 
Notification Service, please visit the Microsoft Profile 
Center at http://register.microsoft.com/regsys/pic.asp 

If you do not wish to use Microsoft Passport, you can 
unsubscribe from the Microsoft Security Notification Service 
via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, 
please visit the Microsoft Security Advisor web site at

http://www.microsoft.com/security.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653) Rainer Gerhards (Sep 04)
- <Possible follow-ups>
- RE: FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653) Rainer Gerhards (Sep 04)