-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-28 Automatic Execution of Macros Original release date: October 08, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Systems running: * Windows + Microsoft Excel 2000 + Microsoft Excel 2002 + Microsoft PowerPoint 2000 + Microsoft PowerPoint 2002 * Macintosh + Microsoft Excel 98 + Microsoft Excel 2001 + Microsoft PowerPoint 98 + Microsoft PowerPoint 2001 Overview An intruder can include a specially crafted macro in a Microsoft Excel or PowerPoint document that can avoid detection and run automatically regardless of the security settings specified by the user. I. Description Microsoft Excel and PowerPoint scan documents when they are opened and check for the existence of macros. If the document contains macros, the user running Excel or PowerPoint is alerted and asked if he would like the macros to be run. However, Microsoft Excel and PowerPoint may not detect malformed macros, so a user can unknowingly run macros containing malicious code when opening an Excel or PowerPoint document. An intruder who can entice or deceive a victim into opening a document using a vulnerable version of Excel or PowerPoint could take any action the victim could take, including, but not limited to * reading, deleting, or modifying data, either locally or on open file shares * modifying security settings (including macro virus protection settings) * sending electronic mail * posting data to or retrieving data from web sites For more information, please see http://securityresponse.symantec.com/avcenter/security/Content/ 2001.10.04.html http://www.microsoft.com/technet/treeview/default.asp?url=/tech net/security/bulletin/MS01-050.asp Given the strong potential for widespread abuse of this vulnerability, we strongly recommend that you apply patches as soon as you are able. For example, the Melissa virus which spread in March of 1999 used social engineering to convince victims to execute a macro embedded in a Microsoft Word document. For more information, see the CERT/CC Advisory listed below. http://www.cert.org/advisories/CA-1999-04.html As a general practice, everyone should be aware of the potential damage that Trojan horses and other kinds of malicious code can cause to any platform. For more information, see http://www.cert.org/advisories/CA-1999-02.html This vulnerability has been assigned the identifier CAN-2001-0718 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718 II. Impact An attacker can execute arbitrary code on the target system with the privileges of the victim running Excel or PowerPoint. III. Solution Apply a patch Appendix A contains information from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly. Until a patch can be applied, and as a general practice, we recommend using caution when opening attachments. However, it is important to note that relying on the "From" line in an electronic mail message is not sufficient to authenticate the origin of the document. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Microsoft Corporation See Microsoft Security Bulletin MS01-050 Appendix B. - References 1. http://securityresponse.symantec.com/avcenter/security/Content/200 1.10.04.html 2. http://www.microsoft.com/technet/treeview/default.asp?url=/technet /security/bulletin/MS01-050.asp 3. http://www.kb.cert.org/vuls/id/287067 4. http://www.cert.org/advisories/CA-1999-04.html 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0718 _________________________________________________________________ _________________________________________________________________ The CERT Coordination Center thanks Peter Ferrie and Symantec Security Response, who discovered this vulnerability and published the information in their advisory. Additionally, we thank Microsoft Corporation, who published an advisory on this issue. _________________________________________________________________ Author: Ian A. Finlay and Shawn V. Hernan. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-28.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History October 8, 2001: initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBO8H+YKCVPMXQI2HJAQHlegP+P6LyxsV880PLmLoip+dUJs6LcMER+t7r uNU4MABB66f7B8pLNUTHI4cSzTdkH2mYC/fzdro92Z1t5VNTlMAQ3V27WP03OrU6 BdbduoHCXVWZMHYe1otl8ePPwPDwdYvajlEUoXSeG97Jl3pbA5wcCCvBdnRvhREr gSzpV7t53FU= =B68T -----END PGP SIGNATURE-----