Gustav Brock
gustav at cactus.dk
Sat Sep 6 10:42:08 CDT 2003
Oops, some cannot see the attachment.
I can highly recommend this newsletter.
/gustav
> I think you have hit same dead end as have Woody in paragraph 8 ...
<quote>
--==>> WOW -- WOODY's OFFICE WATCH <<==--
Microsoft Office advice and news from Woody Leonhard
4 September 2003 Vol 8 No 35
Within the past 12 hours, Microsoft released four Security Bulletins for Office products. This
is our "rapid response" WOW to the flurry of activity. There are good points, bad points, at
least one gotcha, and a host of unanswered questions, but the bottom line is that I recommend
you install all the patches, immediately.
Please pass this edition of WOW along to your friends, family, co-workers - even that weird guy
in the cubicle across from you. It's important. It's complicated, too, as you'll soon see.
Anyone can join WOW, it's free and your email address is private. Hop to
http://woodyswatch.com/wow/ or send a blank email to wow at woodyswatch.com
1. What Happened
2. MS03-035 / 824936 / 824934
3. MS03-036 / 824993 / 824938
4. MS03-037 / 822035 / 822036
5. MS03-038 / 826292 / 826293
6. If You Have Office XP
7. If You Have Office 2000
8. If You Have Office 97 and/or Visio 2000
9. The Good Point: One Kudos for Microsoft
10. Keep WOW Alive and Free
1. WHAT HAPPENED
Microsoft has just released four security patches: three rated "Important" and one "Critical".
I recommend that you install them all right away, but read the specific instructions below first.
No matter which version of Office or which Office products you use (including Access), you need
to patch your PC. You also need to patch your PC if you have FrontPage 2000 or 2002, Project
2000 or 2002, Publisher 2002, Visio 2000 or 2002, Works 2001, 2002, or 2003, or several of the
"MS Business Solutions" products.
VBA is a big part of this round of security fixes, and many, many applications run VBA. Folks
who own any of the 300 products listed at http://msdn.microsoft.com/vba/companies/company.asp
(including AutoCAD, CorelDRAW, WordPerfect, Peachtree, and many more) will undoubtedly be
receiving instructions to patch their systems, too. It would be a good idea to wait until the
manufacturer contacts you, or to keep an eye on the manufacturer's Web site. The patching
instructions for each product may vary a bit. Good luck.
In the headings below, I've identified each patch by security bulletin number (MS03-???), and
also by the Knowledge Base article number which is used to identify and track the patch. Many of
the references you'll see in the press relate to bulletin numbers. But when you go to install a
patch, all you'll see is the KB article number. Worse, there's also a Knowledge Base article
with a completely different number that gives technical details on the hole and the fix. I
listed those KB article numbers at the bottom of each security hole's description. It's a real
mess. I hope this kinda cuts through some of the obfuscation.
2. MS03-035 / 824936 / 824934
MS03-035: "Flaw in Microsoft Word Could Enable Macros to Run Automatically"
Patch for Word 2000: http://woodyswatch.com/kb?824936
Patch for Word 2002 (Office XP): http://woodyswatch.com/kb?824934
The problem described in MS03-035 affects Word 97, 2000, and 2002 (the version of Word in
Office XP). It also affects Works 2001, 2002 and 2003 because they all contain vulnerable
versions of Word.
At this point, I don't know if it affects Word 2003, but based on the way they handled the
other patches (see below), I'll bet Microsoft built the fix into Office 2003 before it released
the gold code.
There are very few details online about this security hole, although it sounds like the
"flipped macro bit" hole that I discussed more than two years ago in WOW 6.30
(http://www.woodyswatch.com/office/archtemplate.asp?v6-n30 ). In that earlier exploit, Steven
McLeod discovered a way to flip a single bit in a Word document, and have Word bypass macro
screening. It led to the first patch of Word 2002.
According to MS's Web page, the particular problem in MS03-035 was discovered by Jim Bassett.
Jim reports, "I just stumbled on the security hole by accident. A co-worker (non-developer) made
a Word template in an unusual way. I noticed that new documents created from this template
behaved strangely. I investigated and discovered that when you create a template in a particular
manner, derived documents always get past macro security. It happened on all versions of Word
including 2003 Beta."
Jim reports that he first notified Microsoft in May, so it took four months for this patch to
appear.
http://www.microsoft.com/technet/security/bulletin/MS03-035.asp
http://woodyswatch.com/kb?827653
3. MS03-036 / 824993 / 824938
MS03-036: Buffer Overrun in WordPerfect Converter Could Allow Code Execution
Patch for Office 2000: http://woodyswatch.com/kb?824993
Patch for Office XP: http://woodyswatch.com/kb?824938
This is a gaping security hole in the program that Word uses to open WordPerfect-formatted
documents. Because Internet Explorer cranks up Word whenever it tries to open a .doc, IE
"inherits" the security hole from Word. (A bit ironic, actually, when you think about how many
times Outlook has "inherited" security holes from IE and its HTML rendering engine.)
It's a traditional buffer overflow problem: the WordPerfect converter doesn't check to make
sure that data coming in fits inside the allocated area. As a result, a craftily concocted
WordPerfect document can blow away the converter, take over, and start running any program the
attacker likes.
Microsoft lists the vulnerable programs as Office 97, 2000, and XP, FrontPage 2000 and 2002,
Publisher 2000 and 2002, and Works 2001, 2002, and 2003. According to Microsoft, all of those
programs automatically install the faulty converter (although I don't understand how the
converter would be invoked if Word isn't installed - oh well).
No official word on whether it affects Office 2003, but when you install Build 5604 of Office
2003 (the final Office 2003 Build is 5612), you get the same "good" Word Converter file mention
in the Knowledge Base articles. Thus, it's highly likely that Microsoft caught the problem and
fixed it before Office 2003 went gold.
eEye Digital Security - the folks who have uncovered more than a dozen security holes in
Internet Explorer - caught this one, too. They report that it's taken Microsoft four months to
plug the hole.
http://www.microsoft.com/technet/security/bulletin/MS03-036.asp
http://woodyswatch.com/kb?827103
http://www.eeye.com/html/Research/Advisories/AD20030903-1.html
4. MS03-037 / 822035 / 822036
MS03-037: Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution
Patch for Office 2000: http://woodyswatch.com/kb?822035
Patch for Office XP: http://woodyswatch.com/kb?822036
This is the biggie. It's rated "critical" because you can get infected by simply replying to or
forwarding an infected email message - assuming you use Word as your Email editor.
Don't get me started.
There's a buffer overflow problem with the VBA Editor (er, the "Visual Basic Design Time
Environment Library"). Yeah, you read that right.
Here's how it works. Say you open a .doc file with Word. One early part of the process of
opening a file involves Word plucking off a bit of the file and handing it to the VBA Editor
(actually, handing it to the Visual Basic Design Time Environment Library, VBE.DLL). In effect,
to a first approximation, Word asks the VBA Editor if VBA needs to be loaded in order to take
care of the file. And Word asks VBE.DLL before it officially "opens" the file.
That's when the problem occurs. If Word is tricked into plucking off too much data (which is
remarkably easy to do), VBE.DLL gulps down the whole gob of data, chokes, and starts running the
data that's passed to it, as if it were a program. If a bad guy jimmies a Word document so the
plucked off part is too long, and sticks a malicious program at the point where VBE.DLL chokes
and starts running the data as if it were a program, you have a classic buffer overflow attack.
A lot of people are confused because they think their macro scanning anti-virus software should
handle this sort of problem. In short, it can't (at least, not in the way you usually think of
virus checkers working). Why? This initial plucking and feeding to VBE.DLL occurs long before
Word even scans the document for macros, much less invokes the security levels you've set, or
calls your anti-virus package.
That's why WordMail can get clobbered. If you try to reply to or forward a message, WordMail
plucks a string off the message and hands it to VBE.DLL, asking VBA if it needs to be loaded. If
the string's too long, VBE.DLL can start running whatever program the bad guy stuck at the end
of the string. Your anti-virus software will never even see the message.
It's a helluva bad problem.
As far as I can tell, anything and everything that uses Visual Basic for Applications is
vulnerable. As mentioned earlier, that would include all of the 300-plus products made by
companies that paid to have VBA included with their software. No doubt Corel and AutoCAD and a
couple hundred other vendors are a bit, uh, peeved at this point.
Remarkably, Microsoft does NOT list Outlook in the MS03-037 Security Bulletin lineup of
afflicted products. That must be an oversight. Outlook certainly does use VBA. I bet MS fixes
the KB article within minutes of reading this.
Although there's no mention of Office 2003 in the Security Bulletin or KB articles, when you
install Office 2003 Build 5604 (RTM is Build 5612), you get the "good" updated VBE6.DLL
discussed in KB articles 822035 and 822036. Apparently MS fixed this hole before Office 2003 was
released to manufacturing.
eEye caught this one, too. It took Microsoft four months to patch this hole.
http://www.microsoft.com/technet/security/bulletin/MS03-037.asp
http://woodyswatch.com/kb?822715
http://www.eeye.com/html/Research/Advisories/AD20030903-2.html
5. MS03-038 / 826292 / 826293
MS03-038 - Unchecked Buffer in Microsoft Access Snapshot Viewer May Permit Code Execution
Patch for Access 2000: http://woodyswatch.com/kb?826292
Patch for Access 2002 (Office XP): http://woodyswatch.com/kb?826293
This is another buffer overflow bug. (Somebody remind me. Didn't Microsoft perform a month-long
security lockdown and code review, specifically aimed at buffer overflows and other common
security holes, about a year ago? Hundreds of millions of dollars, if memory serves. Hmmmmm...)
The Access Snapshot Viewer is a program that lets you look at a "snapshot" of an Access
database. No, I've never used it, either.
This particular security hole is susceptible to the same "kill bit" problem that the old Office
Web Components bug encountered. I talked about the kill bit cat-and-mouse game in WOW 7.40,
http://www.woodyswatch.com/OFFICE/archtemplate.asp?v7-n40 . Basically, even if you download and
apply the fix, it's still possible for a really persistent cretin to undo your patch, remotely,
operating from a Web site you visit. As far as I know, there aren't any good solutions to kill
bit problems. You just have to wait for the next Internet Explorer patch, and apply it.
And pray.
Microsoft credits Oliver Lavery with finding this hole. I've written to Oliver, and will let
you know if he wants to add anything.
http://www.microsoft.com/technet/security/bulletin/MS03-038.asp
http://woodyswatch.com/kb?827104
6. IF YOU HAVE OFFICE XP
I hate to do it, but I'm going to recommend that you go to the Office Update site,
http://www.office.microsoft.com/ProductUpdates/default.aspx , and apply whatever patches
Microsoft may have for you.
Why? Because there's working "exploit" code already posted on the Web for MS03-036 and
MS03-037. It won't be long before somebody with a black hat figures out a way to use it.
I've installed the patches on my own Office XP machines, and nothing has fallen over yet. I've
combed the newsgroups and haven't heard any wailing or gnashing of teeth - although many folks
are skeptical of Office Update. (No, you *can't* get these patches from Windows Update. You have
to use Office Update.)
If you want to download individual files, heaven help ya!, the Administrative Update page with
links to all the Office XP update files is at
http://www.microsoft.com/office/ork/xp/journ/oxpupdte.htm . You can also try following the
instructions in the KB articles I noted at the end of the discussion for each security hole.
7. IF YOU HAVE OFFICE 2000
See the above recommendation for Office XP. The only good way I can figure to get all of the
right patches (and there's a bunch of them, especially if you have FrontPage or Publisher) is
via Office Update.
Office 2000 (and 97) Administrative Updates (which is Microsoft speak for "downloadable
patches") are listed at http://www.microsoft.com/office/ork/xp/journ/o2kupdte.htm
8. IF YOU HAVE OFFICE 97 AND/OR VISIO 2000
Sez Microsoft: "A supported fix is now available from Microsoft, but it is only intended to
correct the problem that is described in this article. Apply it only to computers that are
experiencing this specific problem."
Of course, Microsoft doesn't provide you with enough information to determine whether or not a
specific PC is experiencing the MS03-035 problem, in particular, but it appears to me as if all
Office 97 computers are vulnerable to all four threats.
Worse, if you wait until the 'specific problem' appears it means you probably have been
attacked in some way.
Here's "Trustworthy Computing" in action - Microsoft is recommending you do nothing until
something bad happens. And people wonder why I don't take Microsoft a face value.
For MS03-035: Start at http://woodyswatch.com/kb?827647 and follow the instructions to beg
Microsoft for the patch.
For MS03-036: Start at http://woodyswatch.com/kb?827656 and beg.
For MS03-037: Start at http://woodyswatch.com/kb?822150 and download and apply the generic VBA
update.
For MS03-038: You need to download the new Access Snapshot Viewer at
http://www.microsoft.com/accessdev/articles/snapshot.htm?&gssnb=1
WOODY's EMAIL ESSENTIALS - our new, free, newsletter, all about email.
WEE will give you news and tips on Outlook Express - yes, finally a place for all those OE
users to call home.
There'll also be advice on email etiquette, spam prevention, email services and scams. Just
click on this link to join using the same email address as this issue of WOW
http://woodyswatch.com/email/subscribe.asp?cactus@cactus.dk
Or send a blank email to wee at woodyswatch.com
9. THE GOOD POINT: ONE KUDOS FOR MICROSOFT
Somebody in Redmond decided, once again, that Office 97 applications will be patched, even if
Office 97 is, at least theoretically, orphaned.
That's the right decision to make, and I want to thank the person or people who made it.
It'd sure be nice if we didn't have to beg to get the updates. But at least they're available.
Hopefully some sanity will prevail and the patches will be made available without going cap in
hand to Microsoft. Well, maybe not sanity so much as self-preservation as waves of unhappy
Office 97 / Visio 2000 user call Microsoft support.
So far, the patches look stable. Let's all keep our fingers crossed.
10. KEEP WOW ALIVE AND FREE
If you like the no-nonsense style you see in this newsletter - the straight scoop, whether
Microsoft likes it or not, dished out in a way that won't put you to sleep - get one of my books!
"Windows XP All-In-One Desk Reference For Dummies", Hungry Minds
http://www.woodyswatch.com/l.asp?0764515489
"Special Edition Using Microsoft Office XP" with Ed Bott, Que
http://www.woodyswatch.com/l.asp?0789725134
"Special Edition Using Microsoft Office 2000" with Ed Bott, Que
http://www.woodyswatch.com/l.asp?0789718421
"Woody Leonhard Teaches Office 2000", Que
http://www.woodyswatch.com/l.asp?0789718715
</quote>