Date: Wed, 27 Jan 1999 14:14:39 +0000 From: Vesselin Bontchev To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: IE 4/5/Outlook + Word 97 security hole Hello folks, This is not a strictly Windows NT issue - it affects Windows 9x users too. However, it is a very important one, so I decided to post about it here. Remember the so-called "Russian New Year" problem in Excel? Forget it; that was peanuts. Exploiting it required substantial knowledge of Excel, Windows programming, and assembly language (because the size of the programs that could be dropped was minimal). Not that uncommon combination, but one requiring at least some level of knowledge and experience from the attacker. This new problem can be exploited much, MUCH easier - and all the attacker has to know is Visual Basic for Applications. Essentially, if you are using Internet Explorer 4.x or 5.x and Word 97 (the beta, the original release, SR-1, or the SR-2 patch), you are vulnerable. Vulnerable, in the sense that just visting a Web page can result in running a hostile VBA program on your machine without any warnings. If, in addition, you are using Outlook (any version of it), you are even more vulnerable - the attacker can run a hostile VBA program on your machine by just sending you an HTML e-mail message. (The hostile program will be run when you just VIEW the message - no need to click on any links.) The hostile program can do just about anything (drop a virus, delete files, steal information) - VBA is an extremely powerful language - and very easily. The problem consists of several parts. The first part is caused by the fact that by default IE 4.x/5.x automatically launches Word/Excel/PowerPoint to view URLs which point to DOC/XLS/PPT files (and all other file extensions for these applications). That is, you are not given the option to save the file to disk instead of opening it. If the file contains hostile macros, these macros could be executed by the respective application. Microsoft "protects" you from such attacks with the so-called built-in macro virus protection of the Office 97 versions of the applications mentioned above. That is, if the document you are trying to open contains any macros, the application will display a warning by default (this can be easily turned off) and will offer you the options to open the document as is, to open it without the macros (the default), or not to open it at all. Please note that this protection is available only in Office 97 - the previous versions of these applications do not have it (except the rare Word 7.0a). But they aren't vulnerable to the attack I am describing anyway. This protection has several problems. First of all, it often causes false positives - it sometimes triggers even when the document does not contain any macros. (I can elaborate when exactly this happens, if there is interest.) This often causes people to turn it off. Second, it doesn't tell you whether the document contains a virus or not - it just warns you about the generic presense of macros. Third, and worst of all, the Word 97 implementation of it contains a serious security hole. When Word 97 opens a document, the built-in macro virus protection checks this document for macros (VBA modules). However, it doesn't perform a similar check on the template this document is based on - and, if this template contains any auto macros, they will be executed when the document based on it is opened. Without any warnings whatsoever. I have discovered and documented this security hole more than two and a half years ago. I have reported it to Microsoft people at several anti-virus conferences. Microsoft did nothing about it - until recently. The third part of the problem is the most substantial one - the part which makes this attack easy to carry out remotely. Normally, I wouldn't have revealed the technical details about it. However, the bad guys have figured it out already - there is at least one Web site which tempts the user to click on a link allegedly containing a "list of sex sites passwords" and which uses this attack to infect the user's machine with a macro virus which infects both Word 97, Excel 97 and PowerPoint 97 documents. :-( So, the third part of the problem is caused by the fact that when specifying the template a Word 97 document is based on, you can specify not just a local file but also an URL. The previous versions of Word do not have this capability, therefore they are not vulnerable to this attack. I had prepared a demonstration of the attack and it seems to have been impressive enough, because Microsoft reacted rather quickly this time - in about a week. They issued a patch which fixed the second part of the problem - with it, the built-in macro virus protection of Word 97 checks for macros not only the document that is being opened but also the template it is based on. Please see Microsoft Security Bulletin: http://www.microsoft.com/security/bulletins/ms99-002.asp Office Update Download Page: http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm for more information. Folks, if you are using IE 4.x/5.x and/or Outlook and Word 97, you _*MUST*_ install this patch! Otherwise your systems are WIDE opened and the security hole is *trivial* to exploit! Note, however, that the patch will install only on Word 97 SR-1 or SR-2. It will *not* install on the original Word 97. If you patch Word 97 SR-1, this will not prevent from patching it later to SR-2. I would also advise you to make the necessary changes so that IE offers you the option to save the remote DOC/DOT files instead of automatically launching Word to view them. In order to do this, start the Explorer (the file explorer, not IE), select View/Options/File Types, find the types Microsoft Word (where stands for Addin, Backup Document, Document, Template, Wizard and anything else you find there), select each one of them in sequence, click on the Edit button and make sure that the checkbox labeled "Confirm Open After Download" (near the bottom of the dialog that appears) is checked. And, in general, do not trust files with executable content received >from dubious sources. Unfortunately, as Microsoft continues to blur the difference between your local hard disk and the Internet, problems like this one will only get worse. :-( I wonder when we'll see another Internet Worm based on a security hole like that... Connectivity is a good thing, but it has to rely on a sound security model - not on a bunch of patched-together last-minute ugly hacks which try to "protect" you by essentially telling you that "you are doing something, are you sure?". Regards, Vesselin -- Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E