Date: Wed, 27 Jan 1999 14:14:39 +0000
From: Vesselin Bontchev <bontchev@COMPLEX.IS>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IE 4/5/Outlook + Word 97 security hole

Hello folks,

This is not a strictly Windows NT issue - it affects Windows 9x users
too. However, it is a very important one, so I decided to post about it
here.

Remember the so-called "Russian New Year" problem in Excel? Forget it;
that was peanuts. Exploiting it required substantial knowledge of Excel,
Windows programming, and assembly language (because the size of the
programs that could be dropped was minimal). Not that uncommon
combination, but one requiring at least some level of knowledge and
experience from the attacker. This new problem can be exploited much,
MUCH easier - and all the attacker has to know is Visual Basic for
Applications.

Essentially, if you are using Internet Explorer 4.x or 5.x and Word 97
(the beta, the original release, SR-1, or the SR-2 patch), you are
vulnerable. Vulnerable, in the sense that just visting a Web page can
result in running a hostile VBA program on your machine without any
warnings. If, in addition, you are using Outlook (any version of it),
you are even more vulnerable - the attacker can run a hostile VBA
program on your machine by just sending you an HTML e-mail message. (The
hostile program will be run when you just VIEW the message - no need to
click on any links.) The hostile program can do just about anything
(drop a virus, delete files, steal information) - VBA is an extremely
powerful language - and very easily.

The problem consists of several parts. The first part is caused by the
fact that by default IE 4.x/5.x automatically launches
Word/Excel/PowerPoint to view URLs which point to DOC/XLS/PPT files (and
all other file extensions for these applications). That is, you are not
given the option to save the file to disk instead of opening it. If the
file contains hostile macros, these macros could be executed by the
respective application.

Microsoft "protects" you from such attacks with the so-called built-in
macro virus protection of the Office 97 versions of the applications
mentioned above. That is, if the document you are trying to open
contains any macros, the application will display a warning by default
(this can be easily turned off) and will offer you the options to open
the document as is, to open it without the macros (the default), or not
to open it at all. Please note that this protection is available only in
Office 97 - the previous versions of these applications do not have it
(except the rare Word 7.0a). But they aren't vulnerable to the attack I
am describing anyway.

This protection has several problems. First of all, it often causes
false positives - it sometimes triggers even when the document does not
contain any macros. (I can elaborate when exactly this happens, if there
is interest.) This often causes people to turn it off. Second, it
doesn't tell you whether the document contains a virus or not - it just
warns you about the generic presense of macros. Third, and worst of all,
the Word 97 implementation of it contains a serious security hole.

When Word 97 opens a document, the built-in macro virus protection
checks this document for macros (VBA modules). However, it doesn't
perform a similar check on the template this document is based on - and,
if this template contains any auto macros, they will be executed when
the document based on it is opened. Without any warnings whatsoever.

I have discovered and documented this security hole more than two and a
half years ago. I have reported it to Microsoft people at several
anti-virus conferences. Microsoft did nothing about it - until recently.

The third part of the problem is the most substantial one - the part
which makes this attack easy to carry out remotely. Normally, I wouldn't
have revealed the technical details about it. However, the bad guys have
figured it out already - there is at least one Web site which tempts the
user to click on a link allegedly containing a "list of sex sites
passwords" and which uses this attack to infect the user's machine with
a macro virus which infects both Word 97, Excel 97 and PowerPoint 97
documents. :-(

So, the third part of the problem is caused by the fact that when
specifying the template a Word 97 document is based on, you can specify
not just a local file but also an URL. The previous versions of Word do
not have this capability, therefore they are not vulnerable to this
attack.

I had prepared a demonstration of the attack and it seems to have been
impressive enough, because Microsoft reacted rather quickly this time -
in about a week. They issued a patch which fixed the second part of the
problem - with it, the built-in macro virus protection of Word 97 checks
for macros not only the document that is being opened but also the
template it is based on. Please see

  Microsoft Security Bulletin:
  http://www.microsoft.com/security/bulletins/ms99-002.asp
  Office Update Download Page:
  http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm

for more information.

Folks, if you are using IE 4.x/5.x and/or Outlook and Word 97, you
_*MUST*_ install this patch! Otherwise your systems are WIDE opened and
the security hole is *trivial* to exploit! Note, however, that the patch
will install only on Word 97 SR-1 or SR-2. It will *not* install on the
original Word 97. If you patch Word 97 SR-1, this will not prevent from
patching it later to SR-2.

I would also advise you to make the necessary changes so that IE offers
you the option to save the remote DOC/DOT files instead of automatically
launching Word to view them. In order to do this, start the Explorer
(the file explorer, not IE), select View/Options/File Types, find the
types Microsoft Word <anything> (where <anything> stands for Addin,
Backup Document, Document, Template, Wizard and anything else you find
there), select each one of them in sequence, click on the Edit button
and make sure that the checkbox labeled "Confirm Open After Download"
(near the bottom of the dialog that appears) is checked.

And, in general, do not trust files with executable content received
>from dubious sources. Unfortunately, as Microsoft continues to blur the
difference between your local hard disk and the Internet, problems like
this one will only get worse. :-( I wonder when we'll see another
Internet Worm based on a security hole like that... Connectivity is a
good thing, but it has to rely on a sound security model - not on a
bunch of patched-together last-minute ugly hacks which try to "protect"
you by essentially telling you that "you are doing something, are you
sure?".

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E