OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Microsoft Product Security (secnotifMICROSOFT.COM)
Date: Thu Jun 21 2001 - 18:21:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The following is a Security Bulletin from the Microsoft Product Security
    Notification Service.

    Please do not reply to this message, as it was sent from an unattended
    mailbox.
                        ********************************

    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title: Malformed Word Document Could Enable Macro to
                Run Automatically
    Date: 21 June 2001
    Software: Word
    Impact: Run macro without warning
    Bulletin: MS01-034

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS01-034.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    Word, like other members of the Office product family, provides a
    security mechanism that requires the user's approval to run macros.
    By
    design, any time a document is opened Word scans it for macros. If
    any
    are found, they are handled in accordance with user's selected
    security
    settings. By default in Word 2000 and 2002, only macros that are
    signed
    by a trusted party are enabled; all others are disabled. In Word 97,
    if
    the document contains macros, the user is prompted regarding whether
    to
    enable them or disable them.

    A vulnerability results because it is possible to modify a Word
    document in such a way as to prevent the security scanner from
    recognizing an embedded macro while still allowing it to execute.
    Exploiting the vulnerability would enable an attacker to cause a
    macro
    to run automatically when such a document was opened. Such a macro
    would be able to take any action that the user herself could take.
    This
    could include disabling the user's Word security settings so that
    subsequently-opened Word documents would no longer be checked for
    macros.

    Mitigating Factors:
    ====================
     - The vulnerability only affects Word. Other Office products
       are not affected.
     - Customers using the Outlook E-mail Security Update
       (which is included as part of Word 2002) will be protected
       from any worm viruses contained in Word documents.

    Patch Availability:
    ===================
     - A patch is available to fix this vulnerability. Please read the
       Security Bulletin
       http://www.microsoft.com/technet/security/bulletin/ms01-034.asp
       for information on obtaining this patch.

    Acknowledgment:
    ===============
     - Steven McLeod (stevenmcleodhotmail.com)

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
    "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
    SHALL
    MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
    WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
    LOSS
    OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
    OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
    DAMAGES.
    SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
    CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
    NOT
    APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.3

    iQEVAwUBOzKBXo0ZSRQxA/UrAQHJqwf/dH6cWBpYm80nCxxD1ZL1b4kbhC2dHmar
    use6H2uxX7BCPZ3z/3tGCpFBGm4MZRhZtQEE8xdMFUV/g7S5T0h4IZb5pOVP46Zx
    w8ODksZ0KshkbaXuOpfAd7W4PpH9tiWZaQqH20VQGh4NMwV5DC3t0TwXatKzVwcq
    /iUOFFVllzYCEVCMlR5B/YCjLmwkLQiK3Q4T8JHPsoPd/pm2JVwP+DsFq3WjP78P
    Hd/Mukk3rxcnRI4Yxqb6BeEWhRxkdtNP7G7u8k5O1uXx1tcopgTtAGT766FvFWyu
    bzESIl+ee735/rxrO4lzwoXj83uQ/ViuzxHJ2hGIjipZIUk3TsIZ/g==
    =Iv0X
    -----END PGP SIGNATURE-----

       *******************************************************************
    You have received this e-mail bulletin as a result of your registration
    to the Microsoft Product Security Notification Service. You may
    unsubscribe from this e-mail notification service at any time by sending
    an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTANNOUNCE.MICROSOFT.COM
    The subject line and message body are not used in processing the request,
    and can be anything you like.

    To verify the digital signature on this bulletin, please download our PGP
    key at http://www.microsoft.com/technet/security/notify.asp.

    For more information on the Microsoft Security Notification Service
    please visit http://www.microsoft.com/technet/security/notify.asp. For
    security-related information about Microsoft products, please visit the
    Microsoft Security Advisor web site at http://www.microsoft.com/security.