OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Georgi Guninski (guninski_at_GUNINSKI.COM)
Date: Wed Jul 31 2002 - 11:58:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Georgi Guninski security advisory #57, 2002

    IE and .xla may lead to problems

    Systems affected:
    Office XP + IE 6.0 + Win2K (probably others)

    Risk: High
    Date: 31 July 2002

    Legal Notice:
    This Advisory is Copyright (c) 2002 Georgi Guninski.
    You may distribute it unmodified.
    You may not modify it and distribute it or distribute parts
    of it without the author's written permission.
    If you want to link to this content use the URL:
    http://www.guninski.com/iexla.html
    Anything in this document may change without notice.

    Disclaimer:
    The information in this advisory is believed to be true though
    it may be false.
    The opinions expressed in this advisory and program are my own and
    not of any company. The usual standard disclaimer applies,
    especially the fact that Georgi Guninski is not liable for any damages
    caused by direct or indirect use of the information or functionality
    provided by this advisory or program. Georgi Guninski bears no
    responsibility for content or misuse of this advisory or program or
    any derivatives thereof.

    Description:

    If an IE user visits specially designed web page, the page may created
    almost arbitrary files on his computer. This may lead to executing arbitrary
    programs on the user's computer.

    Details:

    This isn't quite new issue, but the involvement of IE in it makes it worth
    noting. [1] (from March 2002) Describes a problems with ms spreadsheet
    compononent [2] and in its Host() function which may be exploited to create
      a file.
    Microsoft tried to produce a partial patch on the issue, but the problem isn't
    solved yet. It is still possible to create a .xls or .xla file which writes
    files with the help of OWC. The .xla file may be just .html file with .xla
      extension.
    Note: the html formating of [1] is broken, so newlines should
    be dealt with.

    Another interesting problem is [3] from 2000. The key point in it is that
    IE may invoke Excel with <object data="file.xla"></object>. Though not
    visible, Excel executes "file.xla", which may contain tricks from
    [1], so OWC does SaveAs().

    So the ActiveX strange scheme is like this: IE -> Excel -> OWC -> Excel ->
    SaveAs().

    Workaround/Solution:

    In IE disable "Run ActiveX controls and plugins"
    Have not tested this personally but probably works:
    Deregister and delete the ms office spreadsheet component and/or all the
    OWC. This may be done from:
    ControlPanel - Add/Remove programs - Office - Change (then look for OWC)

    Vendor status:

    Microsoft was notified several days ago - they have opened a case on this
    report.

    References
    (available from www.guninski.com and public lists):
    [1] Georgi Guninski security advisory #53, 2002 -
      More Office XP problems - Version 3.0 - 31 March 2002
    [2] The spreadsheet component from OWC is well documented on the office cds.
    [3] Georgi Guninski security advisory #13, 2000
    IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs

    Regards,
    Georgi Guninski
    http://www.guninski.com