SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Microsoft Word Vendors:   Microsoft
(Microsoft Issues Fix) Microsoft Word Document Processing File Include Bug May Let Remote Users Obtain Files From a Target User's System
SecurityTracker Alert ID:  1005437
SecurityTracker URL:  http://securitytracker.com/id/1005437
CVE Reference:   CAN-2002-1143   (Links to External Site)
Date:  Oct 17 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Microsoft Word. A remote user may be able to obtain files from a target user's system.

A remote user can reportedly insert a specially crafted 'INCLUDETEXT' field in a document and send it to a remote user. If the target user then edits and saves the document, files specified by the INCLUDETEXT field and located on the target user's system may be automatically and silently included in the document. If this document is then returned to the remote user, the included files may be inadvertently disclosed to the remote user.

As a demonstration exploit, the following field structure can be inserted into the footer of the last page to steal the contents of the file 'c:\a.txt' on the target user's computer. Note that the plain curly braces represent Word field braces.

{ IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" } \* MERGEFORMAT } = "" "" \* MERGEFORMAT }

Microsoft has stated that "the issue appears to affect all versions of Microsoft Word," according to an Associated Press report.
Impact:   A remote user may obtain files on a target user's computer if the target user will edit, save, and return a malicious Word document.
Solution:   The vendor has released the following patches:

For Microsoft Word 2002:

http://office.microsoft.com/downloads/2002/wrd1005.aspx

For Microsoft Word 2000:

http://office.microsoft.com/downloads/2000/wrd0902.aspx

For Word 97/Word 98(J):

Information on receiving Word 97 & Word 98(J) support is available at: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q330080

For Word X for Macintosh:

http://www.microsoft.com/mac/download/security.asp

For Word 2001 for Macintosh:

http://www.microsoft.com/mac/download/security.asp

For Word 98 for Macintosh:

http://www.microsoft.com/mac/download/security.asp

The Word 2002 patch can be installed on Word 2002 with Office XP SP2. The Word 2000 patch can be installed on Word 2000 with Office 2000 SR1 or SP2. The Word 98(J) patch can be installed on Microsoft Word 98(J) Gold or any Word 98(J) service release, but is only supported on Word 98(J) Service Release 2b. The Word 97 patch can be installed on Microsoft Word 97 Gold or any Word 97 service release, but is only supported on Word 97 Service Release 2b.

The Word X for Macintosh patch can be installed on the latest version of Office v.X. To determine the latest version of Office, see: http://www.microsoft.com/mac/download/misc/make_office_current.asp

The Word 2001 for Macintosh patch can be installed on the latest version of Office 2001. To determine the latest version of Office, see: http://www.microsoft.com/mac/download/misc/make_office_current.asp

The Word 98 for Macintosh patch can be installed on the latest version of Office 98. To determine the latest version of Office, see: http://www.microsoft.com/mac/download/misc/make_office_current.asp

Microsoft plans to include the fix for this issue in any future service packs for the affected products.

Microsoft also plans to issue Knowledge Base article Q330008 regarding this flaw, to be available shortly on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-059.asp (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Windows (Any), error, MacOS

Message History:   This archive entry is a follow-up to the message listed below.
Sep 16 2002 (Microsoft Responds) Microsoft Word Document Processing File Include Bug May Let Remote Users Obtain Files From a Target User's System


 Source Message Contents
Date:  Wed, 16 Oct 2002 17:29:38 -0700
Subject:  Microsoft Security Bulletin MS02-059: Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Flaw in Word Fields and Excel External Updates Could 
Lead to Information Disclosure (Q330008)
Date:       16 October 2002
Software:   Microsoft(r) Word and Microsoft(r) Excel
Impact:     Information Disclosure
Max Risk:   Moderate
Bulletin:   MS02-059

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-059.asp.
- ----------------------------------------------------------------------

Issue:
======
Word and Excel provide a mechanism through which data from one 
document can be inserted to and updated in another document. This 
mechanism, known as field codes in Word and external updates in 
Excel, can be automated to reduce the amount of manual effort 
required by a user. An example of the use of Word field codes could 
be the automatic insertion of a standard disclaimer paragraph in a 
legal document. An example of the use of external updates in Excel 
could be the automatic updating of a chart in one spreadsheet using 
data in a different spreadsheet. 

A vulnerability exists because it is possible to maliciously use 
field codes and external updates to steal information from a user 
without the user being aware. Certain events can trigger field code 
and external update to be updated, such as saving a document or by 
the user manually updating the links. Normally the user would be 
aware of these updates occurring, however a specially crafted field 
code or external update can be used to trigger an update without any 
indication to the user. This could enable an attacker to create a 
document that, when opened, would update itself to include the 
contents of a file from the user's local computer. 

In order for an attacker to take advantage of this vulnerability, 
the attacker would need to perform the following steps: 

 -Craft a Word or Excel document that exploits the vulnerability 
 -Deliver it to the user, via email or some other method 
 -Entice the user to open the document 
 -Return the document to the attacker. (Microsoft is aware of one 
 case in which it would not be necessary for the user to do this. 
 There is  one method through which the attacker's document could 
 post  information directly to a web site, but it would only allow 
 the first  line of the file to be sent)

Mitigating Factors:
====================
- - The attacker would need to know the location of the file that he or
 she wanted to steal. If the correct filename were not presented, 
 the attack would fail and an invalid field error message would be 
 present in the document.
- - The user could always view the field codes or external updates. The
 field codes or external updates used in the attack can be revealed, 
 as they are only hidden to prevent cluttering the document when it 
 is  being viewed or edited. A method of checking documents for 
 additional undesired information is described in the Frequently 
 Asked Questions below. 
- - Although the attacker could take some steps to obscure the stolen 
 information, the attacker would leave a clear audit trail. Since 
 the field codes or external updates can be viewed, even if an attack
 is successful, the attacker would leave clear evidence in the 
 document in the form of the stolen information and the malicious 
 field codes used. This evidence could be used by law enforcement 
 agencies if  required 
- - The vulnerability would not enable the attacker to delete, modify 
 or add any files to the user's local system. 
- - In virtually all circumstances, the attacker would need to entice 
 the user into returning the document. No information would be 
 revealed unless the user returned the document to the attacker.

Risk Rating:
============
 - Internet systems: None
 - Intranet systems: None
 - Client systems: Moderate

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-059.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN 
NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR 
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR 
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO 
THE 
FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPa2ZzY0ZSRQxA/UrAQHcXAf+I+gQmAv/O9eAtJ7VygEYjZWY0WOHy1od
XULm2U8r0jdGJuRaqKxXVkk98ZVhfZdDUwTyJSAMA9NIo7DqlL591k5TX5k2rqjn
SnNheHac5cEdIjnC1BUNoYvFq9FopMCaI+vuR2mYMCpR9MzYBEIpgg0DKddvX9L3
Ug4ObBN/vGkWSDTbyyTWPgTNJV0njPBy+ZAwbYoS9PHbYFQui/oSRDxPzACv9/92
kA9R+OREra0Zc61wxawtoHCsXJed4MIYnNfLcq4GQsYiqKrB5b8UllHT/jA7uOcl
pI+H56GhimHalSQZj8Mrj390jYKev9usqR6SeVKM0/7vUTa+Etp0qA==
=+HVg
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC