Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Wed, 27 Jan 1999 14:14:39 +0000  
From: Vesselin Bontchev <bontchev@COMPLEX.IS>  
Subject: IE 4/5/Outlook + Word 97 security hole  
Hello folks,  
This is not a strictly Windows NT issue - it affects Windows 9x users  
too. However, it is a very important one, so I decided to post about it  
Remember the so-called "Russian New Year" problem in Excel? Forget it;  
that was peanuts. Exploiting it required substantial knowledge of Excel,  
Windows programming, and assembly language (because the size of the  
programs that could be dropped was minimal). Not that uncommon  
combination, but one requiring at least some level of knowledge and  
experience from the attacker. This new problem can be exploited much,  
MUCH easier - and all the attacker has to know is Visual Basic for  
Essentially, if you are using Internet Explorer 4.x or 5.x and Word 97  
(the beta, the original release, SR-1, or the SR-2 patch), you are  
vulnerable. Vulnerable, in the sense that just visting a Web page can  
result in running a hostile VBA program on your machine without any  
warnings. If, in addition, you are using Outlook (any version of it),  
you are even more vulnerable - the attacker can run a hostile VBA  
program on your machine by just sending you an HTML e-mail message. (The  
hostile program will be run when you just VIEW the message - no need to  
click on any links.) The hostile program can do just about anything  
(drop a virus, delete files, steal information) - VBA is an extremely  
powerful language - and very easily.  
The problem consists of several parts. The first part is caused by the  
fact that by default IE 4.x/5.x automatically launches  
Word/Excel/PowerPoint to view URLs which point to DOC/XLS/PPT files (and  
all other file extensions for these applications). That is, you are not  
given the option to save the file to disk instead of opening it. If the  
file contains hostile macros, these macros could be executed by the  
respective application.  
Microsoft "protects" you from such attacks with the so-called built-in  
macro virus protection of the Office 97 versions of the applications  
mentioned above. That is, if the document you are trying to open  
contains any macros, the application will display a warning by default  
(this can be easily turned off) and will offer you the options to open  
the document as is, to open it without the macros (the default), or not  
to open it at all. Please note that this protection is available only in  
Office 97 - the previous versions of these applications do not have it  
(except the rare Word 7.0a). But they aren't vulnerable to the attack I  
am describing anyway.  
This protection has several problems. First of all, it often causes  
false positives - it sometimes triggers even when the document does not  
contain any macros. (I can elaborate when exactly this happens, if there  
is interest.) This often causes people to turn it off. Second, it  
doesn't tell you whether the document contains a virus or not - it just  
warns you about the generic presense of macros. Third, and worst of all,  
the Word 97 implementation of it contains a serious security hole.  
When Word 97 opens a document, the built-in macro virus protection  
checks this document for macros (VBA modules). However, it doesn't  
perform a similar check on the template this document is based on - and,  
if this template contains any auto macros, they will be executed when  
the document based on it is opened. Without any warnings whatsoever.  
I have discovered and documented this security hole more than two and a  
half years ago. I have reported it to Microsoft people at several  
anti-virus conferences. Microsoft did nothing about it - until recently.  
The third part of the problem is the most substantial one - the part  
which makes this attack easy to carry out remotely. Normally, I wouldn't  
have revealed the technical details about it. However, the bad guys have  
figured it out already - there is at least one Web site which tempts the  
user to click on a link allegedly containing a "list of sex sites  
passwords" and which uses this attack to infect the user's machine with  
a macro virus which infects both Word 97, Excel 97 and PowerPoint 97  
documents. :-(  
So, the third part of the problem is caused by the fact that when  
specifying the template a Word 97 document is based on, you can specify  
not just a local file but also an URL. The previous versions of Word do  
not have this capability, therefore they are not vulnerable to this  
I had prepared a demonstration of the attack and it seems to have been  
impressive enough, because Microsoft reacted rather quickly this time -  
in about a week. They issued a patch which fixed the second part of the  
problem - with it, the built-in macro virus protection of Word 97 checks  
for macros not only the document that is being opened but also the  
template it is based on. Please see  
Microsoft Security Bulletin:  
Office Update Download Page:  
for more information.  
Folks, if you are using IE 4.x/5.x and/or Outlook and Word 97, you  
_*MUST*_ install this patch! Otherwise your systems are WIDE opened and  
the security hole is *trivial* to exploit! Note, however, that the patch  
will install only on Word 97 SR-1 or SR-2. It will *not* install on the  
original Word 97. If you patch Word 97 SR-1, this will not prevent from  
patching it later to SR-2.  
I would also advise you to make the necessary changes so that IE offers  
you the option to save the remote DOC/DOT files instead of automatically  
launching Word to view them. In order to do this, start the Explorer  
(the file explorer, not IE), select View/Options/File Types, find the  
types Microsoft Word <anything> (where <anything> stands for Addin,  
Backup Document, Document, Template, Wizard and anything else you find  
there), select each one of them in sequence, click on the Edit button  
and make sure that the checkbox labeled "Confirm Open After Download"  
(near the bottom of the dialog that appears) is checked.  
And, in general, do not trust files with executable content received  
>from dubious sources. Unfortunately, as Microsoft continues to blur the  
difference between your local hard disk and the Internet, problems like  
this one will only get worse. :-( I wonder when we'll see another  
Internet Worm based on a security hole like that... Connectivity is a  
good thing, but it has to rely on a sound security model - not on a  
bunch of patched-together last-minute ugly hacks which try to "protect"  
you by essentially telling you that "you are doing something, are you  
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,  
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.  
e-mail:, tel.: +354-561-7273, fax: +354-561-7274  
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E