Microsoft Office Web Components (OWC) allows a malicious script on a web page to learn if a file exists on the client's filesystem.
OWC allows viewing of Microsoft Office documents such as spreadsheets and charts to be viewed within an HTML document in Microsoft Internet Explorer (IE). OWC is included with Microsoft Office and can also be downloaded for free from Microsoft's web site. By default, it is marked safe for scripting by ActiveX and other scripting components.
The Load method of OWC's Chart component opens a file specified by a Uniform Resource Index (URI) without checking the validity of the URI. If the URI points to the client's local filesystem, the Load method will attempt to open the file at that location. If the file does not exist, the method will return an error. If the file exists, the method does not return the error. A malicious script can use the result to determine if the file exists.
A malicious script can test any location on the client's filesystem for existence of files, thereby learning what files exist locally and on accessible network drives.
The CERT/CC is currently unaware of patches or other software updates to resolve this problem.
Remove OWC. If OWC was installed with Microsoft Office, choose "Add/Remove Components" from the Microsoft Office Setup interface. If OWC was installed separately from Office, choose "Add/Remove Programs" in Windows.
Thanks to GreyMagic Software for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-24|
|Date Last Updated:||2002-09-24 15:51 UTC|