Microsoft KB Archive/303521

= WD: Microsoft Word for Macintosh Security Update FAQ =

Article ID: 303521

Article Last Modified on 7/16/2007

-

APPLIES TO


 * Microsoft Word 2001 for Mac
 * Microsoft Word 98 for Macintosh

-



This article was previously published under Q303521



SUMMARY
This article contains answers to frequently asked questions about the Microsoft Word for Macintosh Security Update: Macro Vulnerability.

The update is available at the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=3cb2a7e8-8515-423c-a021-1daac4f4ae79



MORE INFORMATION
What is the scope of the vulnerability?

This vulnerability could enable an attacker to create a document that, when opened in Word, runs a macro without the user's permission. Macros can take any action that the user is capable of taking. As a result, this vulnerability could give an attacker the opportunity to take actions such as changing data, communicating with Web sites, reformatting the hard disk, or changing the Word security settings. The vulnerability only affects Microsoft Word, and only when Rich Text Format (RTF) documents are opened. Other Microsoft Office programs are not affected. The vulnerability does not exist when opening Word documents.

What causes the vulnerability?

The vulnerability occurs because Word does not check the template for embedded macros when you open a Rich Text Format document that is linked to a Word template. In the case where Word is used to open an RTF file that contains a link to a template, only the RTF file is checked for macros. The template, which might also contain macros, is not checked.

What does the update do?

The update eliminates the vulnerability by causing the correct macro checking to be performed, even when you open an RTF file that is linked to a Word template.

What is Rich Text Format?

Rich Text Format (RTF) is a specification for encoding formatted text and graphics. The principal benefit of RTF is that it is supported by a number of word processors on a number of different platforms. For example, if one user uses Word to create RTF files, that user can share the files with another user who uses an entirely different word processor. You can open and process RTF documents in Word, and Word documents can be saved in RTF, if you want. However, there is a security vulnerability involving the way that Word opens such files, and this could allow macros to run without the user's permission.

What is a macro?

In general, the term macro refers to a small program that automates commonly performed tasks within an operating system or an application. All members of the Office family of products support the use of macros. Companies can develop macros that perform sophisticated productivity tasks by running within Word, Excel, or PowerPoint. Like any computer program, though, macros can be misused. In particular, because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the user wants them to. In this case, however, there is a flaw in the security model, which can occur when you open an RTF document that is linked to a template containing a macro.

What is a template?

A template can be thought of as a skeleton document. For example, a template for a research paper might define the needed styles, include pre-built headers and footers, and include any required boilerplate text. When a user needs to create a new research paper, the user can use the template as a foundation upon which to develop the actual paper. Like other documents, templates can contain macros. When Word is used to open a document that is based on a template, both the document and the template should be checked for macros. The vulnerability involves a case in which this is not done correctly.

What could this enable an attacker to do?

An attacker could use this vulnerability to bypass the normal Word security model. Specifically, if the attacker creates a template that contains a macro, bases an RTF file on the template, and persuades another user to open the RTF file, the macro in the template would run without the user's permission.

What could the macro do?

The macro could take any action that the user could take on their computer. This includes adding, changing, or deleting files, communicating with a Web site, and so on. Note that a macro could also change the user's security settings. This could include disabling macro protection. As a result, if the user were attacked via this vulnerability, the user's security settings could be compromised, and other macros that are normally stopped by Word would now be able to run.

How would the attacker deliver the document to another user?

The attacker has a variety of options. They could host the document on a Web site, or, if the attacker has sufficient access, save the document on a share. Likewise, the attacker could target a particular user by sending the document to the user via e-mail or passing it to another on a floppy disk.

If the attacker sent the RTF file to another user, would the attacker need to send the template with it?

Not necessarily. RTF and Word files do not have to be collocated with their associated templates. Instead, the template can reside in a remote location, and the document can link to it via a Web (HTTP) connection. Thus, an attacker could create an RTF file that would link back to a template on the attacker's Web site, thereby avoiding the need to send both the RTF file and the template to the user.

'''Suppose the user opened an RTF file, and then saved it as a Word file. If another user later opened the Word file, could it exploit the vulnerability?'''

No. The security settings work correctly when opening a Word document, even one that is linked to a template.

Does the vulnerability affect any other Office products?

No. Because Word is the only Office product that can open RTF files, Word is the only Office product affected by the vulnerability.

