Microsoft KB Archive/328130

= Unsafe functions in Office XP Web Components =

Article ID: 328130

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Office Web Components
 * Microsoft Office Spreadsheet Component 9.0
 * Microsoft Office Chart Component 9.0
 * Microsoft Office PivotTable Component 9.0
 * Microsoft Office XP Professional Edition
 * Microsoft Office XP Professional with FrontPage
 * Microsoft Office XP Standard Edition
 * Microsoft Project 2002 Standard Edition
 * Microsoft Project 2002 Professional Edition
 * Microsoft Project Server 2002
 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q328130



SUMMARY
The Microsoft Office Web Components contain several ActiveX controls that give users limited functionality of Microsoft Office in a Web browser without requiring that the user install the full Microsoft Office program. This functionality permits users to use Microsoft Office programs in situations where installation of the full program is infeasible or undesirable.

The control contains three security vulnerabilities, each of which might be exploited either by means of a Web site or HTML mail. The vulnerabilities result because of implementation errors in the following methods and functions the controls expose:
 * Host - By design, this function provides the caller with access to program object models on the user's system. By using the Host function, an attacker might, for example, open an Office program on the user's system and invoke commands there that would carry out operating system commands as the user.
 * LoadText - This method permits a Web page to load text into a browser window. This method verifies that the source of the text is in the same domain as the window, and in theory restricts the page to only loading text that it hosts itself. However, it is possible to circumvent this restriction by specifying a text source located in the Web page's domain, and then by setting up a server-side redirect of that text to a file on the user's system. This would provide an attacker with a way to read any file that they want on the user's system.
 * Copy/Paste - These methods permit text to be copied and pasted. A security vulnerability results because the method does not respect the &quot;disallow paste via script&quot; security setting in Microsoft Internet Explorer. Therefore, even if this setting had been selected, a Web page might continue to access the copy buffer and read any text that the user had copied or deleted from other programs.



MORE INFORMATION
For more information about these vulnerabilities, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-044.mspx

The &quot;kill bit&quot; is a method by which an ActiveX control can be prevented from ever being invoked by means Internet Explorer, even if it is present on the system. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

240797 How to Stop an ActiveX Control from Running in Internet Explorer

Typically, when a security vulnerability involves an ActiveX control, the patch delivers a new control and sets the &quot;kill bit&quot; on the vulnerable control. However, this patch does not set the &quot;kill bit&quot; because the ActiveX control involved in these vulnerabilities is used in Web pages produced by Office programs to access data. Many programs, which include third-party programs, contain hard-coded references to it; if the patch set the &quot;kill bit&quot;, the Web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the &quot;kill bit&quot; on the old one.

Office XP
If you use Office XP, apply Office XP Service Pack 2 (SP-2) to resolve these vulnerabilities. In addition to addressing these issues, it includes many other important security and stability fixes. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

325671 OFFXP: Overview of the Office XP Service Pack 2

NOTE: If you cannot apply Office XP SP-2 at this time, apply the updated version of Office Web Components.

Project 2002 Update
If you use Project 2002, apply the Project 2002 patch. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

328043 PRJ2002: Microsoft Project 2002 Update: August 20, 2002

NOTE: The Project 2002 patch is not included in Office XP SP-2. Therefore, if you use Office XP and Project 2002, apply the Project 2002 patch and Office XP SP-2.

Project Server 2002 Update
If you use Project Server 2002, apply the Project Server 2002 patch. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

328044 Microsoft Project Server 2002 update: August 20, 2002

NOTE: The Project Server 2002 patch is not included in Office XP SP-2. Therefore, if you use Office XP and Project Server 2002, apply the Project Server 2002 patch and Office XP SP-2.

Office Web Components
If you use Office Web Components, apply the Office Web Components patch. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

322382 OFF: Office Web Components Security Update: August 20, 2002

Additional query words: inf OFFXP security_patch owc MS02-044

Keywords: kbproductlink kbfunctions kbhowto kbinfo kbofficexpsp2fix kbsecbulletin kbsecurity kbsecvulnerability KB328130

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.