-----BEGIN PGP SIGNED MESSAGE-----
Title: Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008) Date: 16 October 2002 Software: Microsoft(r) Word and Microsoft(r) Excel Impact: Information Disclosure Max Risk: Moderate Bulletin: MS02-059
Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-059.asp.
Word and Excel provide a mechanism through which data from one document can be inserted to and updated in another document. This mechanism, known as field codes in Word and external updates in Excel, can be automated to reduce the amount of manual effort required by a user. An example of the use of Word field codes could be the automatic insertion of a standard disclaimer paragraph in a legal document. An example of the use of external updates in Excel could be the automatic updating of a chart in one spreadsheet using data in a different spreadsheet.
A vulnerability exists because it is possible to maliciously use field codes and external updates to steal information from a user without the user being aware. Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring, however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user's local computer.
In order for an attacker to take advantage of this vulnerability, the attacker would need to perform the following steps:
-Craft a Word or Excel document that exploits the vulnerability -Deliver it to the user, via email or some other method -Entice the user to open the document -Return the document to the attacker. (Microsoft is aware of one case in which it would not be necessary for the user to do this. There is one method through which the attacker's document could post information directly to a web site, but it would only allow the first line of the file to be sent)
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE----- Version: PGP 7.1
iQEVAwUBPa2ZzY0ZSRQxA/UrAQHcXAf+I+gQmAv/O9eAtJ7VygEYjZWY0WOHy1od XULm2U8r0jdGJuRaqKxXVkk98ZVhfZdDUwTyJSAMA9NIo7DqlL591k5TX5k2rqjn SnNheHac5cEdIjnC1BUNoYvFq9FopMCaI+vuR2mYMCpR9MzYBEIpgg0DKddvX9L3 Ug4ObBN/vGkWSDTbyyTWPgTNJV0njPBy+ZAwbYoS9PHbYFQui/oSRDxPzACv9/92 kA9R+OREra0Zc61wxawtoHCsXJed4MIYnNfLcq4GQsYiqKrB5b8UllHT/jA7uOcl pI+H56GhimHalSQZj8Mrj390jYKev9usqR6SeVKM0/7vUTa+Etp0qA== =+HVg -----END PGP SIGNATURE-----
You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line.
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.