SUMMARY
The Microsoft Office Web Components contain several ActiveX controls
that give users limited functionality of Microsoft Office in a Web browser
without requiring that the user install the full Microsoft Office program.
This functionality permits users to use Microsoft Office programs in
situations where installation of the full program is infeasible or
undesirable.
The control contains three security vulnerabilities,
each of which might be exploited either by means of a Web site or HTML mail.
The vulnerabilities result because of implementation errors in the following
methods and functions the controls expose:
- Host() - By design, this function provides the caller with access to
program object models on the user's system. By using the Host() function,
an attacker might, for example, open an Office program on the user's system
and invoke commands there that would carry out operating system commands as the
user.
- LoadText() - This method permits a Web page to load text into a browser
window. This method verifies that the source of the text is in the same domain
as the window, and in theory restricts the page to only loading text that it
hosts itself. However, it is possible to circumvent this restriction by
specifying a text source located in the Web page's domain, and then by setting
up a server-side redirect of that text to a file on the user's system. This
would provide an attacker with a way to read any file that they want on the
user's system.
- Copy()/Paste() - These methods permit text to be copied and pasted. A security
vulnerability results because the method does not respect the "disallow paste
via script" security setting in Microsoft Internet Explorer. Therefore, even if
this setting had been selected, a Web page might continue to access the copy
buffer and read any text that the user had copied or deleted from other
programs.
MORE INFORMATION
For more information about these vulnerabilities, visit the
following Microsoft Web site:
The "kill bit" is a method by which an ActiveX control can be
prevented from ever being invoked by means Internet Explorer, even if it is
present on the system.
For additional information, click
the article number below to view the article in the Microsoft Knowledge Base:
240797 How to Stop an ActiveX Control from Running in Internet Explorer
Typically, when a security vulnerability involves
an ActiveX control, the patch delivers a new control and sets the "kill bit" on
the vulnerable control. However, this patch does not set the "kill bit" because
the ActiveX control involved in these vulnerabilities is used in Web pages
produced by Office programs to access data. Many programs, which
include third-party programs, contain hard-coded references to it; if the
patch set the "kill bit", the Web pages would no longer function at all - even
with the new, corrected version. As a result, the patch updates the control to
remove the vulnerabilities, but does not provide a brand-new control and set
the "kill bit" on the old one.
Office XP
If you use Office XP, apply Office XP Service Pack 2 (SP-2) to
resolve these vulnerabilities. In addition to addressing these issues, it
includes many other important security and stability fixes. For
additional information, click the following article number to view the article
in the Microsoft Knowledge Base:
325671
OFFXP: Overview of the Office XP Service Pack 2
NOTE: If you cannot apply Office XP SP-2 at this time, apply the
updated version of Office Web Components.
Project 2002 Update
If you use Project 2002, apply the Project 2002 patch.
For additional information, click the
article number below to view the article in the Microsoft Knowledge Base:
328043 PRJ2002: Microsoft Project 2002 Update: August 20, 2002
NOTE: The Project 2002 patch is not included in Office XP SP-2.
Therefore, if you use Office XP and Project 2002, apply the Project 2002 patch
and Office XP SP-2.
Project Server 2002 Update
If you use Project Server 2002, apply the Project Server 2002
patch. For
additional information, click the following article number to view the article
in the Microsoft Knowledge Base:
328044
Microsoft Project Server 2002 update: August 20, 2002
NOTE: The Project Server 2002 patch is not included in Office XP SP-2.
Therefore, if you use Office XP and Project Server 2002, apply the Project
Server 2002 patch and Office XP SP-2.
Office Web Components
If you use Office Web Components, apply the Office Web Components
patch.
For additional information, click
the article number below to view the article in the Microsoft Knowledge Base:
322382 OFF: Office Web Components Security Update: August 20, 2002