Hi, Within minutes of Microsoft posting the bulletin on their site, my mailbox was swamped with emails from people asking the same two questions. I am therefore forwarding the below email (minus the sample document!) to the BugTraq mailing list to reach a wide audience and answer the two questions I keep getting asked: 1) Reporters asking when I notified Microsoft of the issue. As you can see below, it was the 23rd of April. Yes, I know, it was before Office XP/2002 even went on sale. 2) People asking for a sample document which defeats the macro checking. I think the most responsible course of action is to give users a chance to download the patch and/or antivirus updates before making an example available. SecurityFocus will no doubt make my sample document available at the URL http://www.securityfocus.com/bid/2876 after users have had a chance to protect themselves. Regards, Steven McLeod. >From: "Steven McLeod" <stevenmcleodat_private> >To: aleph1at_private >CC: russ.cooperat_private, virus_supportat_private, virus_researchat_private, >virus_doctorat_private, samples@F-Secure.com, yweeat_private, >supportat_private, newvirusat_private, secureat_private >Subject: Microsoft Word macro vulnerability advisory MS01-034 >Date: Fri, 22 Jun 2001 14:28:52 -0000 >MIME-Version: 1.0 >X-Originating-IP: [210.84.112.186] >Received: from 210.84.112.186 by lw11fd.law11.hotmail.msn.com with >HTTP;Fri, 22 Jun 2001 14:28:52 GMT > > >Hi, > >I am sending this email to complement Microsoft's Word macro vulnerability >advisory just published at >http://www.microsoft.com/technet/security/bulletin/MS01-034.asp > >Attached to this email is the sample I sent Microsoft when I alerted them >to this issue. > >I am also forwarding this email with the sample included to the major >antivirus vendors for them to examine. > >I will leave it up to SecurityFocus' good judgment as to when the sample >file should be included in the "exploit" section of your vulnerability >database so that system administrators can test their systems after >applying Microsoft's patch. Looking at the structure of your site, I >assume that this sample document will reside at >http://www.securityfocus.com/bid/2876 > >I would like to take this opportunity to thank (in no particular order) >Alex Uy, Eric Schultze and Scott Culp (Microsoft Security Response Center), >Elias Levy (Mr BugTraq), and Russ Cooper (Mr NTBugTraq) for their comments >and assistance with this issue. > >Regards, >Steven McLeod. > >>From: "Steven McLeod" <stevenmcleodat_private> >>To: secureat_private >>Subject: Macro Viruses >>Date: Mon, 23 Apr 2001 09:44:20 -0000 >> >>Hi, >> >>When you open a Microsoft Word document which contains macros, >>the default security level causes MS Word to pop up a message >>box stating "This document contains macros, which could be a >>virus" and allows the user to "Disable macros" or "Enable macros". >> >>Alternatively, if the user's macro security is set to the most >>secure setting (requiring macros to be signed) all untrusted macros >>will automatically be stripped out from the document. >> >>This macro security feature of MS Word (in Office 2000 and Office >>97) can be trivially bypassed by a malicious document, allowing >>macro code in the document to be run when the document is opened >>without prompting the user or notifying them that the document >>contains macros. Furthermore, the macro will be run without user >>knowledge even if the user's security setting is at the highest >>setting (automatically strip out untrusted macros). >> >>I have attached a sample document to this email. >> >>Is this a known issue? >> >>Regards, >>Steven McLeod. > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 16:17:12 PDT