WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
4 October, 2001
Malformed Microsoft Excel or PowerPoint documents bypass Microsoft macro security features

Symantec Security Response

Risk Impact:
Unauthorized macro files, potentially containing malicious code, can run without warning, successfully bypassing Microsoft's security features. Attacker could run arbitrary code with user privileges.

Microsoft Excel 97 for Windows
Microsoft Excel 98 for Macintosh
Microsoft Excel 2000 for Windows
Microsoft Excel 2001 for Macintosh
Microsoft Excel 2002 for Windows
Microsoft PowerPoint 97 for Windows
Microsoft PowerPoint 98 for Macintosh
Microsoft PowerPoint 2000 for Windows
Microsoft PowerPoint 2001 for Macintosh
Microsoft PowerPoint 2002 for Windows
All versions of these individual products bundled in Microsoft Office Suites.
Microsoft Excel 98 and PowerPoint 98 for Macintosh, although not tested by Symantec, should be considered vulnerable to this issue.

Microsoft Office applications, 2000 versions and later, have three security settings for macros. The "Low" setting allows all macros to run. Setting the security to "Medium" displays a warning window stating the dangers of opening documents containing Macros. This pop-up allows the user to make the decision whether to enable or disable the macro. Under the "High" setting, unsigned macros are disabled automatically. Microsoft Office applications prior to the 2000 version had much simpler macro security models.

Symantec engineers have discovered that by specifically modifying the data stream in a document file containing a macro, the Microsoft Office security settings for macros are completely bypassed in all versions of Microsoft PowerPoint and Excel products.

This issue was initially reported to Microsoft Security on 26 June 2001.

Symantec engineers discovered a bug in the way macros are loaded in all versions of Microsoft PowerPoint and Excel. Under normal circumstances, with high or medium security setting enabled, whenever a Microsoft PowerPoint or Excel document is received it is scanned for macros. If the document contains a macro a security warning prompt is displayed under medium security. Or, if the macro is recognized as un-trusted, it is disabled under the high security setting. Microsoft Office versions prior to 2000 provided a much simpler security model. By specifically modifying the data stream in the document file, the Microsoft security scanner is prevented from recognizing an embedded macro, resulting in its execution when the document is opened. Exploiting this vulnerability in susceptible Microsoft products enables an attacker to craft potentially malicious macro code to automatically run when such a modified document is opened on a target machine. The malicious macro is able to take any action with privileges of the user on the targeted system.

This has been successfully tested in PowerPoint and Excel 97 SR-2, PowerPoint and Excel 2000, and PowerPoint and Excel 2002 as well as PowerPoint and Excel 2001 for Macintosh. Under PowerPoint 2002, the version included in Microsoft Office XP, even unsigned macros can be executed at the highest security settings (the Run option is not disabled).

NOTE: A similar exploit exists for Microsoft Word, however the Microsoft Security patch available in Microsoft Security Bulletin MS01-034 for Steven McLeod's Microsoft Word macro exploit also protects against this exploit. Symantec urges all Microsoft Word users, who have not applied the patch in MS01-34, immediately download and apply that patch as well for maximum protection.

Symantec Response:
Symantec highly recommends all users ensure they are running a current AV product with the latest updates and script blocking to protect against unauthorized executables and other hostile code running on the user's system. Microsoft application users should ensure that all security patches are up-to-date.

Additionally, Microsoft has released a security bulletin, MS01-050, for this issue with links to individual product security patches. Users of individual Microsoft Office products as well as bundled Microsoft Office suites should download and install the appropriate security patches to secure their applications.

NOTE: Microsoft no longer supports Microsoft Office application versions prior to 2000 for Windows or 98 for Macintosh. Symantec strongly suggests that all users of earlier versions upgrade as soon as possible to a supported version and apply all appropriate security patches.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2001-0718 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Peter Ferrie, Symantec Security Response Australia, discovered and researched these vulnerabilities. Symantec would like to also thank Microsoft Security Response for their cooperation and coordination in addressing this issue.

Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this Bulletin electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Bulletin in medium other than electronically requires permission from SymSecurity@symantec.com.
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec Security Response and SymSecurity are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Last modified on: Thursday, 20-Dec-2001 15:45:02 PST