Microsoft Word and Excel contain special encoding tags for formatting and updating content. An attacker may be able to use these tags to exploit an information disclosure vulnerability.
Microsoft Word and Microsoft Excel are applications that ship as part of the Microsoft Office distribution. Microsoft Word (all versions) and Microsoft Excel 2002 contain special encoding tags that can be used to update or include text in a document or spreadsheet. In Microsoft Word, these tags are known as field codes. In Microsoft Excel, they are known as external updates. Some of these tags can enable an attacker to embed local information into a document and have it returned via a web site. Likewise, if the victim were to open a document and then return it to the attacker, sensitive information could be included in the document. In order to successfully exploit this vulnerability, the attacker would have to know the path of the target file, and trick the victim into opening the malicious document.
An attacker may be able to gather sensitive data stored on the victim's machine.
Microsoft has release Security Bulletin MS02-059 to address this vulnerability.
Vendor| Status| Date Notified| Date Updated
Microsoft Corporation| | -| 17 Oct 2002
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to Microsoft and Alex Gantman for reporting this vulnerability.
This document was written by Jason A Rafail.