SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#287067

Microsoft PowerPoint and Excel fail to properly detect macros thereby automatically executing malicious code via crafted document (MS01-050)

Overview

A malformed Microsoft Excel or PowerPoint document can bypass macro checking thereby allowing arbitrary code to be run on the target system.

I. Description

Microsoft Excel and PowerPoint scan documents when they are opened and check for the existence of macros. If the document contains macros, the user running Excel or PowerPoint is alerted and asked if they would like the macros to be run. Because Microsoft Excel and PowerPoint do not adequately detect macros, a user can unknowingly run macros containing malicious code when opening an Excel or PowerPoint document. There are several delivery mechanisms available to an intruder to execute this attack. The attacker could craft a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it and send it via electronic mail to a victim or multiple victims. Alternatively, the attacker could host a specially formed Excel or PowerPoint document on a web site and offer it for download. Additionally, an attacker could deliver the malicious document via open file shares.

According to the Microsoft Security Bulletin, the following versions of Excel and PowerPoint are affected:

  • Microsoft Excel 2000 for Windows
  • Microsoft Excel 2002 for Windows
  • Microsoft Excel 98 for Macintosh
  • Microsoft Excel 2001 for Macintosh
  • Microsoft PowerPoint 2000 for Windows
  • Microsoft PowerPoint 2002 for Windows
  • Microsoft PowerPoint 98 for Macintosh
  • Microsoft PowerPoint 2001 for Macintosh

Microsoft tested the following versions:
  • Office 98 for Macintosh
  • Office 2001 for Macintosh
  • Office 2000 for Windows
  • Office 2002 for Windows

Versions of Excel and PowerPoint (or indeed, other products in the Office suite) prior to this may be affected, but are unsupported. For example, Symantec claims that Microsoft Office 97 and Microsoft Powerpoint 97 are vulnerable as well. Microsoft has not indicated whether or not Microsoft Excel 97 and Microsoft Powerpoint 97 are vulnerable. We are working with Microsoft to determine if these versions are indeed vulnerable as Symantec claims.

Given the strong potential for widespread abuse of this problem, we strongly recommend that you apply patches as soon as you are able. A similar problem was responsible for the Melissa virus in March of 1999, for example. For more informaiton, see

http://www.cert.org/advisories/CA-1999-04.html

Additional information is available from

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp

II. Impact

An attacker could craft a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it and send it via electronic mail to a victim or multiple victims. Alternatively, the attacker could host a specially formed Excel or PowerPoint document on a web site and offer it for download. Additionally, an attacker could deliver the malicious document via open file shares.

III. Solution

Apply a patch from your vendor.


Microsoft Excel 2000 for Windows:
http://download.microsoft.com/download/excel2000/e2kmac/1/w98nt42kme/en-us/e2kmac.exe
Microsoft Excel 2002 for Windows:
http://download.microsoft.com/download/excel2002/exc1001/1/w98nt42kme/en-us/exc1001.exe
Microsoft Excel 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft Excel 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
Microsoft PowerPoint 2000 for Windows:
http://download.microsoft.com/download/powerpoint2000/p2kmac/1/w98nt42kme/en-us/p2kmac.exe
Microsoft PowerPoint 2002 for Windows:
http://download.microsoft.com/download/powerpoint2002/ppt1001/1/w98nt42kme/en-us/ppt1001.exe
Microsoft PowerPoint 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft PowerPoint 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable8-Oct-2001

References

http://www.cert.org/advisories/CA-1999-04.html
http://www.microsoft.com/technet/security/bulletin/MS01-050.asp
Microsoft Excel 2000 for Windows:
http://download.microsoft.com/download/excel2000/e2kmac/1/w98nt42kme/en-us/e2kmac.exe
Microsoft Excel 2002 for Windows:
http://download.microsoft.com/download/excel2002/exc1001/1/w98nt42kme/en-us/exc1001.exe
Microsoft Excel 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft Excel 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
Microsoft PowerPoint 2000 for Windows:
http://download.microsoft.com/download/powerpoint2000/p2kmac/1/w98nt42kme/en-us/p2kmac.exe
Microsoft PowerPoint 2002 for Windows:
http://download.microsoft.com/download/powerpoint2002/ppt1001/1/w98nt42kme/en-us/ppt1001.exe
Microsoft PowerPoint 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft PowerPoint 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
http://www.securityfocus.com/bid/3402

Credit

This document was written by Ian A. Finlay.

Other Information

Date Public:2001-10-04
Date First Published:2001-10-08
Date Last Updated:2004-04-30
CERT Advisory: 
CVE-ID(s):CVE-2001-0718
NVD-ID(s):CVE-2001-0718
US-CERT Technical Alerts: 
Metric:23.29
Document Revision:22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader