---------- Forwarded message ---------- Date: Mon, 20 Jul 1998 10:04:46 -0700 From: Microsoft Product Security Response Team <secureat_private> To: MICROSOFT_SECURITYat_private Subject: Microsoft Security Bulletin (MS98-005) Microsoft Security Bulletin (MS98-005) ------------------------------------------------------------------------ Unwanted Data Issue with Office 98 for the Macintosh Last Revision: July 17, 1998 Summary ======= Recently Microsoft was notified of an issue affecting the way files are stored to local disks in Microsoft Office 98 for the Macintosh. When Office 98 for the Macintosh creates a file on the localdisk for storage, it is possible that a small amount of random data from a previously deleted file could become embedded in the Office 98 file. While the likelihood of revealing sensitive information is low, if this file were then sent to another user, it could possibly expose data from a previously deleted file on the sender's system. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. Issue ===== The problem is caused by the way Office 98 allocates space on a disk for local file storage. The Mac OS -- like many other OS' file systems -- does not erase files when you delete them, it simply removes a reference to them in the disk's catalog, and marks the space they occupied as "free." Office 98 does not clear the disk space when the Mac OS allocates it during a File Save operation. Instead, Office 98 simply writes the file contents to the allocated disk space, overwriting any random data that physically existed on the disk. Since the Mac OS allocates the disk space in set chunks, called clusters, the small amount of unused space at the end of the file's last cluster may contain random data from previously-deleted files. The data cannot be viewed when opened as a native Office file. However, an ASCII text editor can be used to view the extraneous data. The chance that sensitive data will be transferred through this bug is unlikely as multiple unusual scenarios must occur. Affected Software Versions ========================== - Microsoft Office 98 for the Macintosh What Microsoft is Doing ======================= Microsoft has produced an update for Office 98 for the Macintosh that completely eliminates this problem. This update is available from Microsoft's web site, as well as from Microsoft Technical Support. It will be included in all future updates of Office 98 for the Macintosh. What customers should do ======================== Microsoft recommends that customers using Office 98 for the Macintosh install the available Office 98 update, which can be downloaded from the Office 98 for the Macintosh web site at http://www.microsoft.com/macoffice. Previous versions of Office for the Macintosh are not affected. Administrative workaround ========================= Customers who cannot apply the hot fix can use the following workarounds to temporarily address this issue: - This problem can be eliminated by using a third party disk utility for the Mac OS that completely erase files when they are deleted. - Users can save files to freshly formatted floppy disks to ensure that there is no unwanted data included with the file. - This issue only affects files that are saved to a local Macintosh volume. By performing a "Save As..." operation from Office 98 and saving the file to network volume, such a to a Windows NT Server running Services for Macintosh, any random data at the end of the file will be removed. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin 98-005, Unwanted Data Issue with Office 98 for the Macintosh (the web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-005..htm - Microsoft MacOffice web site, http://www.microsoft.com/macoffice Revisions ========= - July 17, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ------------------------------------------------------------------------ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:57 PDT