From: Steve (steve@securesolutions.org)
Date: Sun Mar 31 2002 - 14:15:33 EST
http://www.guninski.com/m$oxp-2.html
A more realistic work around than replacing your mail and office suite
organization wide would be to use filtering at your mail gateways to not
allow any mail containing any type of active content (ActiveX,Java, HTML
etc..). I believe you can accomplish this with Exchange 2000 and with
third party content management tools. You can also force each mail
client to not run active content on the client level but this probably
isn't as reliable.
Unfortunately there is no word as to when a MS patch will be released
but in their defense they have only known about the issue for two weeks.
The URL above contains a full exploit example so I am sure it won't be
long before we see a wave of email virus' exploiting this one although
the risk appears to be low/medium as the user would need to be tricked
into replying/forwarding the malicious email.
Scenario 2 is a high risk for those who are in the habit of opening
documents sent to them by those they don't know. In general it is a bad
idea to email .DOC and .XLS documents which we all learned during the
macro virus days right? :-)
It wouldn't be hard for AntiVirus companies to add a signature to detect
scenario 2. But again, that makes the assumption that we all use up to
date antivirus solutions.
Regards and Happy Easter;
Steve Manzuik
Moderator - VulnWatch
steve@vulnwatch.org
www.vulnwatch.org
-----From the Advisory-----
> Georgi Guninski security advisory #53, 2002
> More Office XP problems
> Systems affected:
> Office XP
> Risk: High
> Date: 31 March 2002
> Description:
> Actually there are at least two vulnerabilities in Office XP. 1. It is
> possible to embed active content (object + script)
> in HTML mail which is triggered if the user choses reply or forward to
the mail. This opens an exploit scenario for
> forcing the user to visit a page in the internet zone of IE at least.
For another exploit scenario check (2) 2. There is
> a bug in ms spreadsheet compononent. Namely in its Host() function
which may be exploited with the help of (1) or
> probably from any document opened with Office application. This buggy
function allows creating files with arbitrary names
> and their content may be specified to some extent at which is
sufficient to place an executable file (.hta) in user's
> startup directory which may lead to taking full control over user's
computer. This probably may be called cross
> application scripting because one application uses object from another
application.
> Workaround/Solution:
> The solution is to get a real mail client and office applications.
> Workaround for this particular problem is: For (1) -
> disable everything that contains "active" in IE. For (2) - (Have not
tested it personally) Deregister and delete the ms
> office spreadsheet component
> Vendor status:
> Microsoft was notified on 17 March 2002.
> They had 2 weeks to produce a patch but didn't.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:21:35 EDT