Vulnerability Note VU#287067

Microsoft PowerPoint and Excel fail to properly detect macros thereby automatically executing malicious code via crafted document (MS01-050)

Original Release date: 08 Oct 2001 | Last revised: 30 Apr 2004

Overview

A malformed Microsoft Excel or PowerPoint document can bypass macro checking thereby allowing arbitrary code to be run on the target system.

Description

Microsoft Excel and PowerPoint scan documents when they are opened and check for the existence of macros. If the document contains macros, the user running Excel or PowerPoint is alerted and asked if they would like the macros to be run. Because Microsoft Excel and PowerPoint do not adequately detect macros, a user can unknowingly run macros containing malicious code when opening an Excel or PowerPoint document. There are several delivery mechanisms available to an intruder to execute this attack. The attacker could craft a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it and send it via electronic mail to a victim or multiple victims. Alternatively, the attacker could host a specially formed Excel or PowerPoint document on a web site and offer it for download. Additionally, an attacker could deliver the malicious document via open file shares.

According to the Microsoft Security Bulletin, the following versions of Excel and PowerPoint are affected:

  • Microsoft Excel 2000 for Windows
  • Microsoft Excel 2002 for Windows
  • Microsoft Excel 98 for Macintosh
  • Microsoft Excel 2001 for Macintosh
  • Microsoft PowerPoint 2000 for Windows
  • Microsoft PowerPoint 2002 for Windows
  • Microsoft PowerPoint 98 for Macintosh
  • Microsoft PowerPoint 2001 for Macintosh

Microsoft tested the following versions:
  • Office 98 for Macintosh
  • Office 2001 for Macintosh
  • Office 2000 for Windows
  • Office 2002 for Windows

Versions of Excel and PowerPoint (or indeed, other products in the Office suite) prior to this may be affected, but are unsupported. For example, Symantec claims that Microsoft Office 97 and Microsoft Powerpoint 97 are vulnerable as well. Microsoft has not indicated whether or not Microsoft Excel 97 and Microsoft Powerpoint 97 are vulnerable. We are working with Microsoft to determine if these versions are indeed vulnerable as Symantec claims.

Given the strong potential for widespread abuse of this problem, we strongly recommend that you apply patches as soon as you are able. A similar problem was responsible for the Melissa virus in March of 1999, for example. For more informaiton, see

http://www.cert.org/advisories/CA-1999-04.html

Additional information is available from

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-050.asp

Impact

An attacker could craft a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it and send it via electronic mail to a victim or multiple victims. Alternatively, the attacker could host a specially formed Excel or PowerPoint document on a web site and offer it for download. Additionally, an attacker could deliver the malicious document via open file shares.

Solution

Apply a patch from your vendor.

Microsoft Excel 2000 for Windows:
http://download.microsoft.com/download/excel2000/e2kmac/1/w98nt42kme/en-us/e2kmac.exe
Microsoft Excel 2002 for Windows:
http://download.microsoft.com/download/excel2002/exc1001/1/w98nt42kme/en-us/exc1001.exe
Microsoft Excel 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft Excel 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp
Microsoft PowerPoint 2000 for Windows:
http://download.microsoft.com/download/powerpoint2000/p2kmac/1/w98nt42kme/en-us/p2kmac.exe
Microsoft PowerPoint 2002 for Windows:
http://download.microsoft.com/download/powerpoint2002/ppt1001/1/w98nt42kme/en-us/ppt1001.exe
Microsoft PowerPoint 98 for Macintosh:
http://www.microsoft.com/mac/download/office98/pptxlmacro.asp
Microsoft PowerPoint 2001 for Macintosh:
http://www.microsoft.com/mac/download/office2001/pptxlmacro.asp

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected21 Jun 200108 Oct 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Ian A. Finlay.

Other Information

  • CVE IDs: CVE-2001-0718
  • Date Public: 04 Oct 2001
  • Date First Published: 08 Oct 2001
  • Date Last Updated: 30 Apr 2004
  • Severity Metric: 23.29
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.