Microsoft KB Archive/311382

= MacOFF: Frequently Asked Questions About the Microsoft Macro Security Updates =

Article ID: 311382

Article Last Modified on 7/19/2007

-

APPLIES TO


 * Microsoft Office 2001 for Mac
 * Microsoft Office 98 for Macintosh
 * Microsoft Excel 2001 for Mac
 * Microsoft PowerPoint 2001 for Mac
 * Microsoft Word 2001 for Mac
 * Microsoft Excel 98 for Macintosh
 * Microsoft PowerPoint 98 for Macintosh
 * Microsoft Word 98 for Macintosh

-



This article was previously published under Q311382



SUMMARY
Microsoft has released updates that address a vulnerability that could allow malicious code to run without warning in a file created in the products listed at the beginning of this article.

The following is a listing of the updates and the Web sites where they are available:

Microsoft Word 2001 for Mac Security Update: Macro Vulnerability

http://www.microsoft.com/downloads/details.aspx?FamilyID=3cb2a7e8-8515-423c-a021-1daac4f4ae79

Microsoft PowerPoint/Excel 2001 Macro Security Update

http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/office2001/Office20019_0_6.xml&secid=10&ssid=26&flgnosysreq=True

Microsoft Word 98 for Mac Security Update: Macro Vulnerability

http://microsoft.com/mac/download/office98/wordmacro98.asp

PowerPoint/Excel 98 Macro Vulnerability Update

http://microsoft.com/mac/download/office98/pptxlmacro.asp



MORE INFORMATION
What is the scope of the vulnerability in Word?

This vulnerability could enable an attacker to create a document that, when opened in Word, runs a macro without asking for the user's permission. Macros can take any action that the user is capable of taking. As a result, this vulnerability could give an attacker the opportunity to take actions such as changing data, communicating with Web sites, reformatting the hard disk, or changing the Word security settings. The vulnerability only affects Word, and only when Rich Text Format (RTF) documents are opened. Other Microsoft Office programs are not affected. The vulnerability does not exist when opening Word documents.

What causes the vulnerability in Word?

The vulnerability occurs because Word does not check the template for embedded macros when you open a Rich Text Format document that is linked to a Word template. When Word is used to open an RTF file that contains a link to a template, only the RTF file is checked for macros. The template, which might also contain macros, is not checked.

How are Excel and PowerPoint vulnerable?

If you do not install the update for your version of PowerPoint/Excel, your installations of Excel and PowerPoint will be vulnerable to malicious macros. An attacker could create a file that contains a macro that runs without your permission. Macros can take any action that you can take. As a result, this vulnerability could give an attacker the opportunity to take actions such as changing data, communicating with Web sites, reformatting the hard disk, or changing some security settings. By changing your security settings, an attacker could disable macro protection. If the attacker then delivered a malicious macro, your system would not be protected.

What do the updates do?

In Word, the update eliminates the vulnerability by causing the correct macro checking to be performed, even when you open an RTF file that is linked to a Word template. In Excel and PowerPoint, the update eliminates the vulnerability by making sure that macros are checked correctly.

What is Rich Text Format?

Rich Text Format (RTF) is a specification for encoding formatted text and graphics. The principal benefit of RTF is that it is supported by a number of word processors on a number of different platforms. For instance, if a user uses Word to create RTF files, the user can share the files with another user who uses an entirely different word processor. You can open and process RTF documents in Word, and Word documents can be saved in RTF, if you want. However, there is a security vulnerability involving the way that Word opens such files, and this could allow macros to run without the user's permission.

What is a macro?

In general, the term &quot;macro&quot; refers to a small program that automates commonly performed tasks within an operating system or an application. All members of the Office family of products support the use of macros. Companies can develop macros that perform sophisticated productivity tasks within Word, Excel, and PowerPoint. Like any computer program, though, macros can be misused. In particular, because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the user wants them to. In this case, however, there is a flaw in the security model, which can occur when you open an RTF document that is linked to a template containing a macro.

What is a template?

A template can be thought of as a skeleton document. For example, the template of a research paper might define the needed styles, include pre-built headers and footers, and include any required boilerplate text. When a user needs to create a new research paper, the user can use the template as a foundation upon which to develop the actual paper. Like other documents, templates can contain macros. When Word is used to open a document that is based on a template, both the document and the template should be checked for macros. The vulnerability involves a case in which this is not done correctly.

What can this vulnerability in Word enable an attacker to do?

An attacker could use this vulnerability to bypass the normal Word security model. Specifically, if an attacker created a template containing a macro, based an RTF file on the template, and persuaded another user to open the RTF file, the macro in the template would run without asking the user's permission.

What could the macro do?

The macro could take any action that the user could take on the user's computer. This includes adding, changing, or deleting files, communicating with a Web site, and so forth. Note that a macro could also change the user's security settings. This could include disabling macro protection. As a result, if the user were attacked via this vulnerability, the user's security settings could be compromised, and other macros that are normally stopped by Word would now be able to run.

How would the attacker deliver the document to another user?

The attacker has a variety of options. The attacker could host the document on a Web site or, with sufficient access, save the document on a share. Likewise, an attacker could target a particular user by sending the document to the user in e-mail or passing it to the user on a disk.

If the attacker sent the RTF file to another user, would the attacker need to send the template with it?

Not necessarily. RTF and Word files do not have to be collocated with their associated templates. Instead, the template can reside in a remote location, and the document can link to it via a Web (HTTP) connection. Thus, an attacker could create an RTF file that would link back to a template on his Web site, thereby avoiding the need to send both the RTF file and the template to the user.

'''Suppose the user opened an RTF file and then saved it as a Word file. If another user later opened the Word file, could it exploit the vulnerability?'''

No. The security settings work correctly when opening a Word document, even one that is linked to a template.

Does the Word vulnerability affect any Office products other than Word?

No. Word is the only Office product that can open RTF files, and as a result is the only Office product affected by the vulnerability.

Additional query words: OFF2001 mac OFF2001KB WD2001 WD98 PPT2001 PPT98 XL2001 XL98 word powerpoint excel WD PPT XL OFF office macro virus VBA automation automatic auto FAQ

Keywords: kbinfo KB311382

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.