|
PureBytes Links
Trading Reference Links
|
----- Original Message -----
From: Microsoft Product Security <secnotif@xxxxxxxxxxxxx>
To: <MICROSOFT_SECURITY@xxxxxxxxxxxxxxxxxxxxxx>
Sent: donderdag 21 januari 1999 19:36
Subject: Microsoft Security Bulletin (MS99-001)
>The following is a Security Bulletin from the Microsoft Product Security
>Notification Service.
>
>Please do not reply to this message, as it was sent from an unattended
>mailbox.
> ********************************
>
>Microsoft Security Bulletin (MS99-001)
>--------------------------------------
>
>Patch Available for exposure in Forms 2.0 TextBox
>Control that allows data to be read from user's Clipboard
>
>Originally Posted: January 21, 1999
>
>Summary
>=======
>Microsoft has released a patch that fixes a vulnerability in the Forms 2.0
>ActiveX control. This control is distributed in any application that
>includes Visual Basic for Applications 5.0. A malicious hacker could use the
>Forms 2.0 Control to read or export text on a user's Clipboard when that
>user visits a web site set up by the malicious hacker or opens a HTML email
>created by the malicious hacker.
>
>A fully supported patch is available to fix this vulnerability, and
>Microsoft recommends that customers download and install it to protect their
>computers.
>
>Issue
>=====
>The Forms 2.0 ActiveX control has a vulnerability that allows text to be
>pasted from a user's Clipboard into a Forms 2.0 Text Box or Combo Box. This
>control is installed as a standard part of the applications listed in the
>"Affected Products" section below.
>
>A malicious hacker could use the Forms 2.0 Control to read or export text on
>a user's Clipboard when that user visits a web site set up by the malicious
>hacker or opens a HTML email created by the malicious hacker.
>
>The Forms 2.0 Security Patch prevents a hacker from exploiting this
>vulnerability. Those who install the patch will not lose functionality and
>will still have the ability to manually paste content from their Clipboard
>to a Forms 2.0 Text Box or Combo Box. Developers who have built VBA
>solutions using the Forms 2.0 Control will still be able to paste into Text
>Boxes and Combo Boxes.
>
>While there have not been any reports of customers being adversely affected
>by these problems, Microsoft is releasing a patch to address any risks posed
>by this issue.
>
>Affected Software Versions
>==========================
>The following software installs the Forms 2.0 control:
> - Microsoft Office 97
> - Microsot Outlook 98
> - Microsoft Project 98
> - Microsoft Visual Basic 5.0
> - Any third-party product that includes Visual
> Basic for Applications 5.0
>
>To determine whether you need to download and install the security fix,
>right-click the Fm20.dll file in your \Windows\System folder and choose
>Properties on the shortcut menu. If the file date of your FM20.dll file is
>earlier than January 11, 1999 (1/11/99), you should download and install the
>security fix.
>
>What Microsoft is Doing
>=======================
>Microsoft has released a patch that fixes the problem identified. This patch
>is available for download from the sites listed below in "What Customers
>Should Do".
>
>Microsoft has made information about this patch available on the Microsoft
>Office web site, and has sent information about the availability of this
>patch to ISV partners licensing VBA and registered Office users.
>
>Microsoft has sent this security bulletin to customers subscribing to the
>Microsoft Product Security Notification Service. See "Signing up for the
>Microsoft Product Security Notification Service"
>(http://www.microsoft.com/security/services/bulletin.asp) for more
>information about this free customer service.
>
>Microsoft has published the following Knowledge Base (KB) article on this
>issue:
>
> - Microsoft Knowledge Base (KB) article Q214757,
> "Forms 2.0 (Fm20*.dll) ActiveX Control Security Fix",
> http://support.microsoft.com/support/kb/articles/q214/7/57.asp
>
>(Note: It might take 24 hours from the original posting of this bulletin for
>the KB article to be visible in the Web-based Knowledge Base.)
>
>What customers should do
>========================
>
>Microsoft highly recommends that all affected customers download the patch
>to protect their computers. The complete URL for each affected software
>version is given below.
>
>Customers can obtain the patch from the free Office Update service. To
>obtain this patch using Office Update, visit the Office Update site at
>http://officeupdate.microsoft.com/downloaddetails/fm2paste.htm.
>
>More Information
>================
>Please see the following references for more information related to this
>issue.
>
> - Patch Available for exposure in Forms 2.0 TextBox
> Control that allows data to be read from user's Clipboard
> (the Web-posted version of this bulletin),
> http://www.microsoft.com/security/bulletins/ms99-001.asp
> - Microsoft Knowledge Base (KB) article Q214757,
> "Forms 2.0 (Fm20*.dll) ActiveX Control Security Fix",
> http://support.microsoft.com/support/kb/articles/q214/7/57.asp
>
>Acknowledgements
>================
>Microsoft wishes to acknowledge Juan Carlos Garcia Cuartango of Spain for
>discovering this vulnerability and for his continued assistance and input.
>
>Obtaining Support on this Issue
>===============================
>This is a supported patch. If you have problems installing this patch or
>require technical assistance with this patch, please contact Microsoft
>Technical Support. For information on contacting Microsoft Technical
>Support, please see
>http://support.microsoft.com/support/contact/default.asp.
>
>Revisions
>=========
> - January 21, 1999: Bulletin Created
>
>For additional security-related information about Microsoft products, please
>visit http://www.microsoft.com/security
>
>
>--------------------------------------------------------------
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
>WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
>FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
>IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
>FOREGOING LIMITATION MAY NOT APPLY.
>
>(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
>
> *******************************************************************
>You have received this e-mail bulletin as a result of your registration
>to the Microsoft Product Security Notification Service. You may
>unsubscribe from this e-mail notification service at any time by sending
>an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@xxxxxxxxxxxxxxxxxxxxxx
>The subject line and message body are not used in processing the request,
>and can be anything you like.
>
>For more information on the Microsoft Security Notification Service
>please visit http://www.microsoft.com/security/bulletin.htm. For
>security-related information about Microsoft products, please visit the
>Microsoft Security Advisor web site at http://www.microsoft.com/security.
|