[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)
From: "Rainer Gerhards" <rgerhards@xxxxxxxxxxxxxx>
Date: Thu, 4 Sep 2003 10:38:44 +0200

Excellent piece of Microsoft software...

Can't even install it on Word 2002 German on WinXP German. The patch
says (translated) "did not find the product expected". I then tried the
office update site. That fails with an general error, telling me I
should review my security settings.

Bottom line: nice patch, but can't install...

Am I now guilty of lazyness if I do not patch?

Anyone else with similar problems?

Rainer Gerhards

> -----Original Message-----
> From: Microsoft 
> [mailto:0_51912_A303F73D-CBD5-4F48-8040-2B7DCAAAC7DF_DE@Newsle
> tters.Microsoft.com] 
> Sent: Thursday, September 04, 2003 6:41 AM
> To: Rainer Gerhards
> Subject: Microsoft Security Bulletin MS03-035: Flaw in 
> Microsoft Word Could Enable Macros to Run Automatically(827653)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> - -------------------------------------------------------------------
> Title:     Flaw in Microsoft Word Could Enable Macros to Run 
>            Automatically (827653)
> Date:      September 3, 2003
> Software:  Microsoft Word 97 
>            Microsoft Word 98 (J) 
>            Microsoft Word 2000 
>            Microsoft Word 2002 
>            Microsoft Works Suite 2001 
>            Microsoft Works Suite 2002 
>            Microsoft Works Suite 2003 
> Impact:    Run macros without warning 
> Max Risk:  Important
> Bulletin:  MS03-035
> 
> Microsoft encourages customers to review the Security Bulletins at:
>     
> http://www.microsoft.com/technet/security/bulletin/MS03-035.asp 
> http://www.microsoft.com/security/security_bulletins/MS03-035.asp
> 
> - -------------------------------------------------------------------
> 
> Issue:
> ======
> A macro is a series of commands and instructions that can be 
> grouped together as a single command to accomplish a task 
> automatically. Microsoft Word supports the use of macros to allow 
> the automation of commonly performed tasks. Since macros are 
> executable code it is possible to misuse them, so Microsoft Word 
> has a security model designed to validate whether a macro should be 
> allowed to execute depending on the level of macro security the 
> user has chosen.
> 
> A vulnerability exists because it is possible for an attacker to 
> craft a malicious document that will bypass the macro security 
> model. If the document was opened, this flaw could allow a 
> malicious macro embedded in the document to be executed 
> automatically, regardless of the level at which macro security is 
> set. The malicious macro could take the same actions that the user 
> had permissions to carry out, such as adding, changing or deleting 
> data or files, communicating with a web site or formatting the hard 
> drive. 
> 
> The vulnerability could only be exploited by an attacker who 
> persuaded a user to open a malicious document - there is no way for 
> an attacker to force a malicious document to be opened.
> 
> Mitigating Factors:
> ====================
>  - The user must open the malicious document for an attacker to be 
>    successful. An attacker cannot force the document to be opened 
>    automatically. 
> 
>  - The vulnerability cannot be exploited automatically through e- 
>    mail. A user must open an attachment sent in e-mail for an e-
>    mail borne attack to be successful. 
> 
>  - By default, Outlook 2002 block programmatic access to the 
>    Address Book. In addition, Outlook 98 and 2000 block 
>    programmatic access to the Outlook Address Book if the Outlook 
>    Email Security Update has been installed. Customers who use any 
>    of these products would not be at risk of propagating an e-mail 
>    borne attack that attempted to exploit this vulnerability. 
> 
>  - The vulnerability only affects Microsoft Word - other members of  
>    the Office product family are not affected. 
> 
> Risk Rating:
> ============
>  -Important
> 
> Patch Availability:
> ===================
>  - A patch is available to fix this vulnerability. Please read the 
>    Security Bulletins at
> 
>   http://www.microsoft.com/technet/security/bulletin/MS03-035.asp 
>   http://www.microsoft.com/security/security_bulletins/MS03-035.asp
> 
>    for information on obtaining this patch.
> 
> Acknowledgment:
> ===============
>  - Jim Bassett of Practitioners Publishing Company 
> (http://www.ppcnet.com)
> - -------------------------------------------------------------------
> 
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
> PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
> ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES 
> OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO 
> EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR 
> ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
> CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
> MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
> OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
> SO THE FOREGOING LIMITATION MAY NOT APPLY.
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2
> 
> iQEVAwUBP1UvR40ZSRQxA/UrAQE0jwf8Dzm8/NCPSiH+BP7ePKRl66a9rawIDdlu
> V+52lARZNbRkBNU00U8ImEzilgfIbgj0HZkcb4GpaQLUsPbYSuyiyu9PrKn0i+/j
> JTaZOg48YJYZzhFOq+drUAMmwMQAkD3xb9fCrSxqET4/K4/55qiJW5uyOlH9RZ3K
> BS6fhpmrQhOHGRU1gxWDbnRwWZmaqqMCr4WlGJZKZRH3L6kXwEfoH77Xq/v8BiXC
> y0a6YqMpmA/Jd3Dpx8ByQBMTEfr2eHmMR9WDBowCip4iQ+p/Qorn8q6JpVlm8mhr
> G+fCshh3bCiniTX5cXt+9B4yVqnpYXHefB0Vt5mfi6/bavgbiqdt4A==
> =ZJEd
> -----END PGP SIGNATURE-----
> 
> 
> 
> *******************************************************************
> 
> You have received this e-mail bulletin because of your 
> subscription to the Microsoft Product Security Notification 
> Service.  For more information on this service, please visit 
> http://www.microsoft.com/technet/security/noti> fy.asp.
>  
> To 
> verify the digital signature on this bulletin, 
> please download our PGP key at 
> http://www.microsoft.com/technet/security/noti> fy.asp.
>  
> To 
> unsubscribe from the Microsoft Security 
> Notification Service, please visit the Microsoft Profile 
> Center at http://register.microsoft.com/regsys/pic.asp 
>  
> If you do not wish to use Microsoft Passport, you can 
> unsubscribe from the Microsoft Security Notification Service 
> via email as described below:
> Reply to this message with the word UNSUBSCRIBE in the Subject line.
>  
> For security-related information about Microsoft products, 
> please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] [RHSA-2003:240-01] Updated httpd packages fix Apache security vulnerabilities
Next by Date: RE: [Full-Disclosure] FW: Microsoft Security Update
Previous by thread: [Full-Disclosure] [RHSA-2003:240-01] Updated httpd packages fix Apache security vulnerabilities
Next by thread: RE: [Full-Disclosure] FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)
Index(es):
- Date
- Thread