MacOFF: Frequently Asked Questions About the Microsoft Macro Security Updates (311382)


The information in this article applies to:

  • Microsoft Office 2001 for Mac
  • Microsoft Office 98 Macintosh Edition
  • Microsoft Excel 2001 for Mac
  • Microsoft PowerPoint 2001 for Macintosh
  • Microsoft Word 2001 for Macintosh
  • Microsoft Excel 98 Macintosh Edition
  • Microsoft PowerPoint 98 Macintosh Edition
  • Microsoft Word 98 Macintosh Edition
This article was previously published under Q311382

SUMMARY

Microsoft has released updates that address a vulnerability that could allow malicious code to run without warning in a file created in the products listed at the beginning of this article.

The following is a listing of the updates and the Web sites where they are available:

Microsoft Word 2001 for Mac Security Update: Macro Vulnerability
http://microsoft.com/mac/download/office2001/wordmacro.asp

Microsoft PowerPoint/Excel 2001 Macro Security Update
http://microsoft.com/mac/download/office2001/pptxlmacro.asp

Microsoft Word 98 for Mac Security Update: Macro Vulnerability
http://microsoft.com/mac/download/office98/wordmacro98.asp

PowerPoint/Excel 98 Macro Vulnerability Update
http://microsoft.com/mac/download/office98/pptxlmacro.asp

For additional information about how to install the updates, click the article number below to view the article in the Microsoft Knowledge Base:

311344 MacOFF: Office 2001 and Office 98 Macro Security Updates Available Online

MORE INFORMATION

What is the scope of the vulnerability in Word?

This vulnerability could enable an attacker to create a document that, when opened in Word, runs a macro without asking for the user's permission. Macros can take any action that the user is capable of taking. As a result, this vulnerability could give an attacker the opportunity to take actions such as changing data, communicating with Web sites, reformatting the hard disk, or changing the Word security settings. The vulnerability only affects Word, and only when Rich Text Format (RTF) documents are opened. Other Microsoft Office programs are not affected. The vulnerability does not exist when opening Word documents.

What causes the vulnerability in Word?
The vulnerability occurs because Word does not check the template for embedded macros when you open a Rich Text Format document that is linked to a Word template. When Word is used to open an RTF file that contains a link to a template, only the RTF file is checked for macros. The template, which might also contain macros, is not checked.

How are Excel and PowerPoint vulnerable?
If you do not install the update for your version of PowerPoint/Excel, your installations of Excel and PowerPoint will be vulnerable to malicious macros. An attacker could create a file that contains a macro that runs without your permission. Macros can take any action that you can take. As a result, this vulnerability could give an attacker the opportunity to take actions such as changing data, communicating with Web sites, reformatting the hard disk, or changing some security settings. By changing your security settings, an attacker could disable macro protection. If the attacker then delivered a malicious macro, your system would not be protected.

What do the updates do?
In Word, the update eliminates the vulnerability by causing the correct macro checking to be performed, even when you open an RTF file that is linked to a Word template. In Excel and PowerPoint, the update eliminates the vulnerability by making sure that macros are checked correctly.

What is Rich Text Format?
Rich Text Format (RTF) is a specification for encoding formatted text and graphics. The principal benefit of RTF is that it is supported by a number of word processors on a number of different platforms. For instance, if a user uses Word to create RTF files, the user can share the files with another user who uses an entirely different word processor. You can open and process RTF documents in Word, and Word documents can be saved in RTF, if you want. However, there is a security vulnerability involving the way that Word opens such files, and this could allow macros to run without the user's permission.

What is a macro?
In general, the term "macro" refers to a small program that automates commonly performed tasks within an operating system or an application. All members of the Office family of products support the use of macros. Companies can develop macros that perform sophisticated productivity tasks within Word, Excel, and PowerPoint. Like any computer program, though, macros can be misused. In particular, because of the popularity of Office products, many viruses are written as macros and embedded within Office documents. To combat this threat, Office has developed a security model that is designed to ensure that macros can only run when the user wants them to. In this case, however, there is a flaw in the security model, which can occur when you open an RTF document that is linked to a template containing a macro.

What is a template?
A template can be thought of as a skeleton document. For example, the template of a research paper might define the needed styles, include pre-built headers and footers, and include any required boilerplate text. When a user needs to create a new research paper, the user can use the template as a foundation upon which to develop the actual paper. Like other documents, templates can contain macros. When Word is used to open a document that is based on a template, both the document and the template should be checked for macros. The vulnerability involves a case in which this is not done correctly.

What can this vulnerability in Word enable an attacker to do?
An attacker could use this vulnerability to bypass the normal Word security model. Specifically, if an attacker created a template containing a macro, based an RTF file on the template, and persuaded another user to open the RTF file, the macro in the template would run without asking the user's permission.

What could the macro do?
The macro could take any action that the user could take on the user's computer. This includes adding, changing, or deleting files, communicating with a Web site, and so forth. Note that a macro could also change the user's security settings. This could include disabling macro protection. As a result, if the user were attacked via this vulnerability, the user's security settings could be compromised, and other macros that are normally stopped by Word would now be able to run.

How would the attacker deliver the document to another user?
The attacker has a variety of options. The attacker could host the document on a Web site or, with sufficient access, save the document on a share. Likewise, an attacker could target a particular user by sending the document to the user in e-mail or passing it to the user on a disk.

If the attacker sent the RTF file to another user, would the attacker need to send the template with it?
Not necessarily. RTF and Word files do not have to be collocated with their associated templates. Instead, the template can reside in a remote location, and the document can link to it via a Web (HTTP) connection. Thus, an attacker could create an RTF file that would link back to a template on his Web site, thereby avoiding the need to send both the RTF file and the template to the user.

Suppose the user opened an RTF file and then saved it as a Word file. If another user later opened the Word file, could it exploit the vulnerability?
No. The security settings work correctly when opening a Word document, even one that is linked to a template.

Does the Word vulnerability affect any Office products other than Word?
No. Word is the only Office product that can open RTF files, and as a result is the only Office product affected by the vulnerability.
Modification Type:MajorLast Reviewed:10/14/2002
Keywords:kbinfo KB311382
©2002 Microsoft Corporation. All rights reserved.