__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft IE and Office for Macintosh Vulnerabilities [Microsoft Security Bulletin MS02-019] April 18, 2002 18:00 GMT Number M-068 ______________________________________________________________________________ PROBLEM: Two vulnerabilities have been identified by Microsoft: 1) A buffer overflow exists with the handling of a particular HTML element and 2) a vulnerability exists that allows local AppleScripts to be invoke by a web page. PLATFORM: Microsoft Internet Explorer 5.1 for Macintosh OS X Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9 Microsoft Outlook Express 5.0.-5.0.3 for Macintosh Microsoft Entourage v. X for Macintosh Microsoft Entourage 2001 for Macintosh Microsoft PowerPoint v. X for Macintosh Microsoft PowerPoint 2001 for Macintosh Microsoft PowerPoint 98 for Macintosh Microsoft Excel v. X for Macintosh Microsoft Excel 2001 for Macintosh DAMAGE: 1) A successful attack would have the result of causing the program to fail, or to cause code of the attacker's choice to run as if it were the user. 2) The AppleScripts would run as if they had been launched by the user, and could take the same actions as any AppleScript legitimately launched by the user. SOLUTION: Apply the patch supplied by vendor. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. 1) A successful attack using an HTML web ASSESSMENT: page would require the attacker to lure the user to visiting a site under their control. A successful attack using HTML email would require specific knowledge of the user's mail client and cannot be mounted against PC users. 2) A successful attack requires that the attacker know the full path and file name of any AppleScript they want to invoke. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-068.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-019.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-019 *****] Microsoft Security Bulletin MS02-019 Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309) Originally posted: April 16, 2002 Summary Who should read this bulletin: All users of Microsoft® Internet Explorer and Office for the Macintosh® Impact of vulnerability: Run code of attacker's choice. Maximum Severity Rating: Critical Recommendation: Customers running Internet Explorer and Office for Macintosh should apply the patches. Affected Software: Microsoft Internet Explorer 5.1 for Macintosh OS X Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9 Microsoft Outlook Express 5.0.-5.0.3 for Macintosh Microsoft Entourage v. X for Macintosh Microsoft Entourage 2001 for Macintosh Microsoft PowerPoint v. X for Macintosh Microsoft PowerPoint 2001 for Macintosh Microsoft PowerPoint 98 for Macintosh Microsoft Excel v. X for Macintosh Microsoft Excel 2001 for Macintosh Technical details Technical description: This is a cumulative patch that, when applied, eliminates all previously released security vulnerabilities affecting IE 5.1 for Macintosh, and Office v. X for Macintosh. In addition, it eliminates two newly discovered vulnerabilities. The first is a buffer overrun vulnerability associated with the handling of a particular HTML element. Because of support for HTML in Office applications, this flaw affects both IE and Office for Macintosh. A security vulnerability results because an attacker can levy a buffer overrun attack against IE that attempts to exploit this flaw. A successful attack would have the result of causing the program to fail, or to cause code of the attacker's choice to run as if it were the user. The second is a vulnerability that can allow local AppleScripts to be invoked by a web page. This vulnerability can allow locally stored AppleScripts to be invoked automatically without first calling the Helper application. The AppleScripts would run as if they had been launched by the user, and could take the same actions as any AppleScript legitimately launched by the user. The AppleScript would have to already be present on the system; there is no way for an attacker to deliver an AppleScript of her choosing through this vulnerability. Mitigating factors: Unchecked Buffer in HTML Element: Successfully exploiting this issue with Office files requires that a user accept files from an unknown or untrusted source. Users should never accept files unknown or untrusted sources. Accepting files only from trusted sources can prevent attempts to exploit this issue. A successful attack using HTML email would require specific knowledge of the user's mail client and cannot be mounted against PC users. A successful attack using an HTML web page would require the attacker to lure the user to visiting a site under her control. Users who exercise caution in their browsing habits can potentially protect themselves from attempts to exploit this vulnerability. On operating systems that enforce security on per-user basis, such as Mac OS X, the specific actions that an attacker's code can take would be limited to those allowed by the privileges of the user's account. Local AppleScript Invocation: The vulnerability only affects IE on Mac OS 8 & 9. A successful attack requires that the attacker know the full path and file name of any AppleScript they want to invoke. The vulnerability provides no means to deliver an AppleScript of the attacker's construction: it can only invoke AppleScripts already present on the user's system. Severity Rating: Unchecked Buffer in HTML Element: Internet Servers Intranet Servers Client Systems Microsoft Internet Explorer 5.1 for Macintosh OS X None None Critical Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9 None None Critical Microsoft Outlook Express 5.0.2 for Macintosh None None Critical Microsoft Entourage v. X for Macintosh None None Critical Microsoft Entourage 2001 for Macintosh None None Critical Microsoft PowerPoint v. X for Macintosh None None Low Microsoft PowerPoint 2001 for Macintosh None None Low Microsoft PowerPoint 98 for Macintosh None None Low Microsoft Excel v. X for Macintosh None None Low Microsoft Excel 2001 for Macintosh None None Low Local AppleScript Invocation: Internet Servers Intranet Servers Client Systems Microsoft Internet Explorer 5.1 for Macintosh OS X None None None Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9 None None Moderate Microsoft Outlook Express 5.0.2 for Macintosh None None None Microsoft Entourage v. X for Macintosh None None None Microsoft Entourage 2001 for Macintosh None None None Microsoft PowerPoint v. X for Macintosh None None None Microsoft PowerPoint 2001 for Macintosh None None None Microsoft PowerPoint 98 for Macintosh None None None Microsoft Excel v. X for Macintosh None None None Microsoft Excel 2001 for Macintosh None None None Aggregate severity of all vulnerabilities eliminated by patch: Internet Servers Intranet Servers Client Systems Microsoft Internet Explorer 5.1 for Macintosh OS X None None Critical Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9 None None Critical Microsoft Outlook Express 5.0.2 for Macintosh None None Critical Microsoft Entourage v. X for Macintosh None None Critical Microsoft Entourage 2001 for Macintosh None None Critical Microsoft PowerPoint v. X for Macintosh None None Low Microsoft PowerPoint 2001 for Macintosh None None Low Microsoft PowerPoint 98 for Macintosh None None Low Microsoft Excel v. X for Macintosh None None Low Microsoft Excel 2001 for Macintosh None None Low The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The unchecked buffer in HTML Element vulnerability could be remotely exploited through HTML email. On Office, the HTML Element issues does not qualify as a vulnerability, because exploiting the issue requires that users accept and open files from untrusted sources. The AppleScript local invocation requires detailed knowledge regarding the naming and configuration of the machine in order to be exploitable. In addition, the severity rating includes the aggregate ratings for issues eliminated by previous patches that are contained in this patch. Vulnerability identifier: Unchecked Buffer in HTML Element:CAN-2002-0152 Local AppleScript Invocation:CAN-2002-0153 Tested Versions: Microsoft tested Internet Explorer 5.1 for Macintosh, Outlook Express 5.0.2, and Office v. X, 2001 and 98 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch Microsoft IE 5.1 for Mac OSX: Users must use the Software Update feature of Mac OS X v10.1 to install the "Internet Explorer 5.1 Security Update." More information on Software Update is available at: http://www.apple.com/macosx/upgrade/softwareupdates.html. All other products: http://www.microsoft.com/mac/download Microsoft PowerPoint 98 for Macintosh: Patch is under development and will be available shortly. When this happens, we will re-release this bulletin with information on how to obtain and install these patches. Additional information about this patch Installation platforms: Microsoft Internet Explorer 5.1 for Macintosh OS X: This patch can be installed on systems running Mac OS X v. 10.1. Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9: This patch can be installed on systems running Mac OS 8 & 9. Microsoft Outlook Express 5.0.4 for Macintosh: This patch can be installed on systems running Mac OS 8 & 9. Microsoft Entourage v. X for Macintosh: This patch can be installed on systems running Microsoft Office v. X for Mac. Microsoft Entourage 2001 for Macintosh: This patch can be installed on systems running Microsoft Office 2001 for Mac OS 8 & 9. Microsoft PowerPoint v. X for Macintosh: This patch can be installed on systems running Microsoft Office v. X for Mac. Microsoft PowerPoint 2001 for Macintosh: This patch can be installed on systems running Microsoft Office 2001 for Mac OS 8 & 9. Microsoft PowerPoint 98 for Macintosh: This patch can be installed on systems running Microsoft Office 98 Gold for Mac OS 8 & 9. Microsoft Excel v. X for Macintosh: This patch can be installed on systems running Microsoft Office v. X for Mac. Microsoft Excel 2001 for Macintosh: This patch can be installed on systems running Microsoft Office 2001 for Mac OS 8 & 9. Reboot needed: No Superseded patches: The Internet Explorer 5.1 for Macintosh OS X patch supersedes MS01-053. The Microsoft Office X patches supersede MS02-002. Verifying patch installation: Microsoft Internet Explorer 5.1 for Macintosh OS X: To verify that the patch has been installed on the machine, confirm that the version number of Internet Explorer is now 5.1.4. This can be done by choosing "About Internet Explorer" from the "Explorer" menu and confirming the version number is "5.1.4 (4405)" Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9: To verify that the patch has been installed on the machine, confirm that the version number of Internet Explorer is now 5.1.4. This can be done by choosing "About Internet Explorer" from the "Explorer" menu and confirming the version number is "5.1.4 " Microsoft Outlook Express 5.0.4 for Macintosh: Inside the Outlook Express folder, select: Outlook Express Select the file in the Finder, From the File menu, choose "Show Info", and verify that the version shown is "5.0.4". Microsoft Entourage v. X, Microsoft PowerPoint v. X, Microsoft Excel v. X for Macintosh: Inside the Microsoft Office X:Office folder, select: Microsoft Office X Select the file in the Finder, From the File menu, choose "Show Info", and verify that the version shown is "10.0.3 (1412)". Microsoft Entourage 2001, Microsoft PowerPoint 2001, Microsoft Excel 2001, Microsoft Word 2001 for Macintosh: Inside the Microsoft Office 2001:Office folder, select: Microsoft Internet Library Select the file in the Finder, From the File menu, choose "Get Info", and verify that the description shown is "Microsoft Office 2001 SP2". Caveats: None Localization: Localized versions of this patch are under development and will be available at the Macintosh download site referenced above. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks Josha Bronson of AngryPacket Security and w00w00 for reporting this issue to us and working with us to protect customers. Support: Microsoft Knowledge Base article Q321309 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (April 16, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-019 ***** _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-059: Red Hat "groff" Vulnerability M-060: JRE Bytecode Verifier Vulnerability M-061: HP VVOS Web proxy Vulnerability M-062: Double Free Bug in zlib Compression Library M-063: Microsoft Internet Explorer Vulnerabilities CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code M-064: Cisco web interface vulnerabilities in ACS for Windows M-065: Red Hat Race Conditions in "logwatch" M-066: Microsoft Cumulative Patch for Internet Information Services (IIS) Vulnerabilities M-067: SGI Mail, mailx, sort, timed, and gzip Vulnerabilities