|
PureBytes Links
Trading Reference Links
|
----- Original Message -----
From: Microsoft Product Security <secnotif@xxxxxxxxxxxxx>
To: <MICROSOFT_SECURITY@xxxxxxxxxxxxxxxxxxxxxx>
Sent: donderdag 21 januari 1999 19:38
Subject: Microsoft Security Bulletin (MS99-002)
>The following is a Security Bulletin from the Microsoft Product Security
>Notification Service.
>
>Please do not reply to this message, as it was sent from an unattended
>mailbox.
> ********************************
>
>Microsoft Security Bulletin (MS99-002)
>--------------------------------------
>
>Patch Available for "Word 97 Template" Vulnerability
>
>Originally Posted: January 21, 1999
>
>Summary
>=======
>Microsoft has released a patch that fixes a vulnerability in Word 97 which
>could permit macros to run without warning the user when the user opens a
>document based on a template containing macros. A malicious hacker could
>exploit this vulnerability to cause malicious macro code to be run without
>warning if a user opens a Word attachment that was sent by a malicious
>hacker, or posted on a web site controlled by the malicious hacker. This
>malicious macro could possibly be used to damage or retrieve data on a
>user's system.
>
>A fully supported patch is available to fix this vulnerability, and
>Microsoft recommends that customers download and install it to protect their
>computers.
>
>Issue
>=====
>Now available for download, the Word 97 Template Security Patch addresses a
>vulnerability that could allow malicious macro code to be run in a Word 97
>document without warning a user when the user opens the document.
>
>A standard safety feature of Word 97 is that it warns users when a document
>containing macros is opened; however, if that document does not itself
>contain macros, but rather is linked to a template that does contains
>macros, no warning is issued. A malicious hacker could exploit this
>vulnerability to cause malicious macro code to run without warning if a user
>opens a Word document attached to an email sent by the malicious hacker, or
>if the user opens a Word document on a web site controlled by the malicious
>hacker. This malicious macro could possibly be used to damage or retrieve
>data on a user's system.
>
>The Word 97 Template Security Patch prevents a hacker from exploiting this
>vulnerability. After installing the patch, users will be warned before they
>launch a document based on a template that contains macros. Installing the
>patch will not disable the use of templates or macros on templates.
>
>While there have not been any reports of customers being adversely affected
>by these problems, Microsoft is releasing a patch to address any risks posed
>by this issue.
>
>Affected Software Versions
>==========================
>The following software versions are affected:
> - Microsoft Word 97
>
>What Microsoft is Doing
>=======================
>Microsoft has released a patch that fixes the problem identified. This patch
>is available for download from the sites listed below in "What Customers
>Should Do".
>
>Microsoft has made information about this patch available on the Microsoft
>Office web site, and has sent information about the availability of this
>patch to ISV partners licensing VBA and registered Office users.
>
>Microsoft has sent this security bulletin to customers subscribing to the
>Microsoft Product Security Notification Service. See "Signing up for the
>Microsoft Product Security Notification Service"
>(http://www.microsoft.com/security/services/bulletin.asp) for more
>information about this free customer service.
>
>Microsoft has published the following Knowledge Base (KB) article on this
>issue:
>
> - Microsoft Knowledge Base (KB) article Q214652,
> "No Macro Warning Opening File Attached to Template
> Containing Macros",
> http://support.microsoft.com/support/kb/articles/q214/6/52.asp
>
>(Note: It might take 24 hours from the original posting of this bulletin for
>the KB article to be visible in the Web-based Knowledge Base.)
>
>What customers should do
>========================
>Microsoft highly recommends that all affected customers download the patch
>to protect their computers. The complete URL for each affected software
>version is given below.
>
>Customers can obtain the patch from the free Office Update service. To
>obtain this patch using Office Update, visit the Office Update site at
>http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm.
>
>More Information
>================
>Please see the following references for more information related to this
>issue.
>
> - Patch Available for "Word 97 Template" Vulnerability
> (the Web-posted version of this bulletin),
> http://www.microsoft.com/security/bulletins/ms99-002.asp
> - Microsoft Knowledge Base (KB) article Q214652,
> "No Macro Warning Opening File Attached to Template
> Containing Macros",
> http://support.microsoft.com/support/kb/articles/q214/6/52.asp
>
>Acknowledgements
>================
>Microsoft would like to thank Woody's Office Watch and their reader, DavidF,
>for notifying us about this vulnerability.
>
>Obtaining Support on this Issue
>===============================
>This is a supported patch. If you have problems installing this patch or
>require technical assistance with this patch, please contact Microsoft
>Technical Support. For information on contacting Microsoft Technical
>Support, please see
>http://support.microsoft.com/support/contact/default.asp.
>
>Revisions
>=========
> - January 21, 1999: Bulletin Created
>
>
>For additional security-related information about Microsoft products, please
>visit http://www.microsoft.com/security
>
>
>--------------------------------------------------------------
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
>WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
>FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
>IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
>FOREGOING LIMITATION MAY NOT APPLY.
>
>(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
>
> *******************************************************************
>You have received this e-mail bulletin as a result of your registration
>to the Microsoft Product Security Notification Service. You may
>unsubscribe from this e-mail notification service at any time by sending
>an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@xxxxxxxxxxxxxxxxxxxxxx
>The subject line and message body are not used in processing the request,
>and can be anything you like.
>
>For more information on the Microsoft Security Notification Service
>please visit http://www.microsoft.com/security/bulletin.htm. For
>security-related information about Microsoft products, please visit the
>Microsoft Security Advisor web site at http://www.microsoft.com/security.
|