Home page logo

bugtraq logo Bugtraq mailing list archives

Fwd: Microsoft Word macro vulnerability advisory MS01-034
From: "Steven McLeod" <stevenmcleod () hotmail com>
Date: Fri, 22 Jun 2001 16:58:44 -0000


Within minutes of Microsoft posting the bulletin on their site, my mailbox was swamped with emails from people asking the same two questions. I am therefore forwarding the below email (minus the sample document!) to the BugTraq mailing list to reach a wide audience and answer the two questions I keep getting asked:

1) Reporters asking when I notified Microsoft of the issue. As you can see below, it was the 23rd of April. Yes, I know, it was before Office XP/2002 even went on sale.

2) People asking for a sample document which defeats the macro checking. I think the most responsible course of action is to give users a chance to download the patch and/or antivirus updates before making an example available. SecurityFocus will no doubt make my sample document available at the URL http://www.securityfocus.com/bid/2876 after users have had a chance to protect themselves.

Steven McLeod.

From: "Steven McLeod" <stevenmcleod () hotmail com>
To: aleph1 () securityfocus com
CC: russ.cooper () rc on ca, virus_support () mcafee com, virus_research () nai com, virus_doctor () trendmicro com, samples () F-Secure com, ywee () symantec com, support () sophos com, newvirus () kaspersky com, secure () microsoft com
Subject: Microsoft Word macro vulnerability advisory MS01-034
Date: Fri, 22 Jun 2001 14:28:52 -0000
MIME-Version: 1.0
X-Originating-IP: []
Received: from by lw11fd.law11.hotmail.msn.com with HTTP;Fri, 22 Jun 2001 14:28:52 GMT


I am sending this email to complement Microsoft's Word macro vulnerability advisory just published at http://www.microsoft.com/technet/security/bulletin/MS01-034.asp

Attached to this email is the sample I sent Microsoft when I alerted them to this issue.

I am also forwarding this email with the sample included to the major antivirus vendors for them to examine.

I will leave it up to SecurityFocus' good judgment as to when the sample file should be included in the "exploit" section of your vulnerability database so that system administrators can test their systems after applying Microsoft's patch. Looking at the structure of your site, I assume that this sample document will reside at http://www.securityfocus.com/bid/2876

I would like to take this opportunity to thank (in no particular order) Alex Uy, Eric Schultze and Scott Culp (Microsoft Security Response Center), Elias Levy (Mr BugTraq), and Russ Cooper (Mr NTBugTraq) for their comments and assistance with this issue.

Steven McLeod.

From: "Steven McLeod" <stevenmcleod () hotmail com>
To: secure () microsoft com
Subject: Macro Viruses
Date: Mon, 23 Apr 2001 09:44:20 -0000


When you open a Microsoft Word document which contains macros,
the default security level causes MS Word to pop up a message
box stating "This document contains macros, which could be a
virus" and allows the user to "Disable macros" or "Enable macros".

Alternatively, if the user's macro security is set to the most
secure setting (requiring macros to be signed) all untrusted macros
will automatically be stripped out from the document.

This macro security feature of MS Word (in Office 2000 and Office
97) can be trivially bypassed by a malicious document, allowing
macro code in the document to be run when the document is opened
without prompting the user or notifying them that the document
contains macros.  Furthermore, the macro will be run without user
knowledge even if the user's security setting is at the highest
setting (automatically strip out untrusted macros).

I have attached a sample document to this email.

Is this a known issue?

Steven McLeod.

Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

  By Date           By Thread  

Current thread:
  • Fwd: Microsoft Word macro vulnerability advisory MS01-034 Steven McLeod (Jun 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]