Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Macintosh :: m-068.txt

Microsoft IE and Office for Macintosh Vulnerabilities (CIAC M-068)




             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

             Microsoft IE and Office for Macintosh Vulnerabilities
                     [Microsoft Security Bulletin MS02-019]

April 18, 2002 18:00 GMT                                          Number M-068
______________________________________________________________________________
PROBLEM:       Two vulnerabilities have been identified by Microsoft: 1) A 
               buffer overflow exists with the handling of a particular HTML 
               element and 2) a vulnerability exists that allows local 
               AppleScripts to be invoke by a web page. 
PLATFORM:      Microsoft Internet Explorer 5.1 for Macintosh OS X 
               Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9 
               Microsoft Outlook Express 5.0.-5.0.3 for Macintosh 
               Microsoft Entourage v. X for Macintosh 
               Microsoft Entourage 2001 for Macintosh 
               Microsoft PowerPoint v. X for Macintosh 
               Microsoft PowerPoint 2001 for Macintosh 
               Microsoft PowerPoint 98 for Macintosh 
               Microsoft Excel v. X for Macintosh 
               Microsoft Excel 2001 for Macintosh 
DAMAGE:        1) A successful attack would have the result of causing the 
               program to fail, or to cause code of the attacker's choice to 
               run as if it were the user. 
               2) The AppleScripts would run as if they had been launched by 
               the user, and could take the same actions as any AppleScript 
               legitimately launched by the user. 
SOLUTION:      Apply the patch supplied by vendor. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. 1) A successful attack using an HTML web 
ASSESSMENT:    page would require the attacker to lure the user to visiting a 
               site under their control. A successful attack using HTML email 
               would require specific knowledge of the user's mail client and 
               cannot be mounted against PC users. 2) A successful attack 
               requires that the attacker know the full path and file name of 
               any AppleScript they want to invoke. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-068.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-019.asp 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS02-019 *****]

Microsoft Security Bulletin MS02-019  


Unchecked Buffer in Internet Explorer and Office for Mac Can Cause 
Code to Execute (Q321309)

Originally posted: April 16, 2002

Summary
Who should read this bulletin: All users of Microsoft® Internet Explorer 
and Office for the Macintosh® 

Impact of vulnerability: Run code of attacker's choice. 

Maximum Severity Rating: Critical 

Recommendation: Customers running Internet Explorer and Office for 
Macintosh should apply the patches. 

Affected Software: 

Microsoft Internet Explorer 5.1 for Macintosh OS X 
Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9 
Microsoft Outlook Express 5.0.-5.0.3 for Macintosh 
Microsoft Entourage v. X for Macintosh 
Microsoft Entourage 2001 for Macintosh 
Microsoft PowerPoint v. X for Macintosh 
Microsoft PowerPoint 2001 for Macintosh 
Microsoft PowerPoint 98 for Macintosh 
Microsoft Excel v. X for Macintosh 
Microsoft Excel 2001 for Macintosh 

Technical details
Technical description: 


This is a cumulative patch that, when applied, eliminates all previously 
released security vulnerabilities affecting IE 5.1 for Macintosh, and 
Office v. X for Macintosh. In addition, it eliminates two newly discovered 
vulnerabilities. 

The first is a buffer overrun vulnerability associated with the handling 
of a particular HTML element. Because of support for HTML in Office 
applications, this flaw affects both IE and Office for Macintosh. A security 
vulnerability results because an attacker can levy a buffer overrun attack 
against IE that attempts to exploit this flaw. A successful attack would 
have the result of causing the program to fail, or to cause code of the 
attacker's choice to run as if it were the user. 

The second is a vulnerability that can allow local AppleScripts to be 
invoked by a web page. This vulnerability can allow locally stored 
AppleScripts to be invoked automatically without first calling the 
Helper application. The AppleScripts would run as if they had been 
launched by the user, and could take the same actions as any AppleScript 
legitimately launched by the user. The AppleScript would have to already 
be present on the system; there is no way for an attacker to deliver an 
AppleScript of her choosing through this vulnerability. 

Mitigating factors: 

Unchecked Buffer in HTML Element: 

Successfully exploiting this issue with Office files requires that a 
user accept files from an unknown or untrusted source. Users should 
never accept files unknown or untrusted sources. Accepting files only 
from trusted sources can prevent attempts to exploit this issue.
 
A successful attack using HTML email would require specific knowledge 
of the user's mail client and cannot be mounted against PC users. 

A successful attack using an HTML web page would require the attacker 
to lure the user to visiting a site under her control. Users who exercise 
caution in their browsing habits can potentially protect themselves from 
attempts to exploit this vulnerability. 

On operating systems that enforce security on per-user basis, such as 
Mac OS X, the specific actions that an attacker's code can take would be 
limited to those allowed by the privileges of the user's account. 

Local AppleScript Invocation: 

The vulnerability only affects IE on Mac OS 8 & 9. 

A successful attack requires that the attacker know the full path and 
file name of any AppleScript they want to invoke. 

The vulnerability provides no means to deliver an AppleScript of the 
attacker's construction: it can only invoke AppleScripts already present 
on the user's system. 

Severity Rating: 

Unchecked Buffer in HTML Element:  
                            Internet Servers  Intranet Servers  Client Systems 
Microsoft Internet Explorer 
5.1 for Macintosh OS X         None             None              Critical 
Microsoft Internet Explorer 
5.1 for Macintosh OS 8 & 9     None             None              Critical 
Microsoft Outlook Express 
5.0.2 for Macintosh            None             None              Critical 
Microsoft Entourage v. X 
for Macintosh                  None             None              Critical 
Microsoft Entourage 2001 
for Macintosh                  None             None              Critical 
Microsoft PowerPoint v. X 
for Macintosh                  None             None              Low 
Microsoft PowerPoint 2001 
for Macintosh                  None             None              Low 
Microsoft PowerPoint 98 
for Macintosh                  None             None              Low 
Microsoft Excel v. X 
for Macintosh                  None             None              Low 
Microsoft Excel 2001 
for Macintosh                  None             None              Low 


Local AppleScript Invocation:  
                             Internet Servers  Intranet Servers  Client Systems 
Microsoft Internet Explorer 
5.1 for Macintosh OS X         None             None              None 
Microsoft Internet Explorer 
5.1 for Macintosh OS 8 & 9     None             None              Moderate 
Microsoft Outlook Express 
5.0.2 for Macintosh            None             None              None 
Microsoft Entourage v. X 
for Macintosh                  None             None              None 
Microsoft Entourage 2001 
for Macintosh                  None             None              None 
Microsoft PowerPoint v. X 
for Macintosh                  None             None              None 
Microsoft PowerPoint 2001 
for Macintosh                  None             None              None 
Microsoft PowerPoint 98 
for Macintosh                  None             None              None 
Microsoft Excel v. X 
for Macintosh                  None             None              None 
Microsoft Excel 2001 
for Macintosh                  None             None              None 


Aggregate severity of all vulnerabilities eliminated by patch:  
                             Internet Servers  Intranet Servers  Client Systems 
Microsoft Internet Explorer 
5.1 for Macintosh OS X         None             None              Critical 
Microsoft Internet Explorer 5.1 
for Macintosh OS 8 & 9         None             None              Critical 
Microsoft Outlook Express 5.0.2 
for Macintosh                  None             None              Critical 
Microsoft Entourage v. X 
for Macintosh                  None             None              Critical 
Microsoft Entourage 2001 
for Macintosh                  None             None              Critical 
Microsoft PowerPoint v. X 
for Macintosh                  None             None              Low 
Microsoft PowerPoint 2001 
for Macintosh                  None             None              Low 
Microsoft PowerPoint 98 
for Macintosh                  None             None              Low 
Microsoft Excel v. X 
for Macintosh                  None             None              Low 
Microsoft Excel 2001 
for Macintosh                  None             None              Low 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. The unchecked buffer in 
HTML Element vulnerability could be remotely exploited through HTML email. 
On Office, the HTML Element issues does not qualify as a vulnerability, 
because exploiting the issue requires that users accept and open files 
from untrusted sources. The AppleScript local invocation requires detailed 
knowledge regarding the naming and configuration of the machine in order 
to be exploitable. In addition, the severity rating includes the aggregate 
ratings for issues eliminated by previous patches that are contained in 
this patch. 

Vulnerability identifier: 

Unchecked Buffer in HTML Element:CAN-2002-0152 
Local AppleScript Invocation:CAN-2002-0153 

Tested Versions:

Microsoft tested Internet Explorer 5.1 for Macintosh, Outlook Express 5.0.2, 
and Office v. X, 2001 and 98 to assess whether they are affected by this 
vulnerability. Previous versions are no longer supported, and may or may 
not be affected by these vulnerabilities.

Patch availability

Download locations for this patch 
Microsoft IE 5.1 for Mac OSX: Users must use the Software Update feature of 
Mac OS X v10.1 to install the "Internet Explorer 5.1 Security Update." 
More information on Software Update is available at: 
http://www.apple.com/macosx/upgrade/softwareupdates.html. 

All other products: http://www.microsoft.com/mac/download 

Microsoft PowerPoint 98 for Macintosh:
Patch is under development and will be available shortly. When this happens, 
we will re-release this bulletin with information on how to obtain and 
install these patches. 

Additional information about this patch

Installation platforms: 
Microsoft Internet Explorer 5.1 for Macintosh OS X:
This patch can be installed on systems running Mac OS X v. 10.1.
 
Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9:
This patch can be installed on systems running Mac OS 8 & 9.
 
Microsoft Outlook Express 5.0.4 for Macintosh:
This patch can be installed on systems running Mac OS 8 & 9. 

Microsoft Entourage v. X for Macintosh:
This patch can be installed on systems running Microsoft Office v. X for Mac.
 
Microsoft Entourage 2001 for Macintosh:
This patch can be installed on systems running Microsoft Office 2001 for 
Mac OS 8 & 9. 

Microsoft PowerPoint v. X for Macintosh:
This patch can be installed on systems running Microsoft Office v. X for Mac.
 
Microsoft PowerPoint 2001 for Macintosh:
This patch can be installed on systems running Microsoft Office 2001 for 
Mac OS 8 & 9. 

Microsoft PowerPoint 98 for Macintosh:
This patch can be installed on systems running Microsoft Office 98 Gold for 
Mac OS 8 & 9. 

Microsoft Excel v. X for Macintosh:
This patch can be installed on systems running Microsoft Office v. X for Mac.
 
Microsoft Excel 2001 for Macintosh:
This patch can be installed on systems running Microsoft Office 2001 for 
Mac OS 8 & 9. 

Reboot needed:
No 

Superseded patches: 

The Internet Explorer 5.1 for Macintosh OS X patch supersedes MS01-053. 
The Microsoft Office X patches supersede MS02-002. 
Verifying patch installation: 

Microsoft Internet Explorer 5.1 for Macintosh OS X:
To verify that the patch has been installed on the machine, confirm that 
the version number of Internet Explorer is now 5.1.4. 
This can be done by choosing "About Internet Explorer" from the "Explorer" 
menu and confirming the version number is "5.1.4 (4405)" 

Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9:
To verify that the patch has been installed on the machine, confirm that 
the version number of Internet Explorer is now 5.1.4. 
This can be done by choosing "About Internet Explorer" from the "Explorer" 
menu and confirming the version number is "5.1.4 " 

Microsoft Outlook Express 5.0.4 for Macintosh:

Inside the Outlook Express folder, select: 

Outlook Express 
Select the file in the Finder, From the File menu, choose "Show Info", 
and verify that the version shown is "5.0.4". 
Microsoft Entourage v. X, Microsoft PowerPoint v. X, Microsoft Excel v. X 
for Macintosh:
Inside the Microsoft Office X:Office folder, select: 
Microsoft Office X 
Select the file in the Finder, From the File menu, choose "Show Info", and 
verify that the version shown is "10.0.3 (1412)". 
Microsoft Entourage 2001, Microsoft PowerPoint 2001, Microsoft Excel 2001, 
Microsoft Word 2001 for Macintosh:

Inside the Microsoft Office 2001:Office folder, select: 
Microsoft Internet Library 
Select the file in the Finder, From the File menu, choose "Get Info", and 
verify that the description shown is "Microsoft Office 2001 SP2". 

Caveats:
None 

Localization:
Localized versions of this patch are under development and will be available 
at the Macintosh download site referenced above. 

Obtaining other security patches: 

Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be 
most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 
All patches available via WindowsUpdate also are available in a 
redistributable form from the WindowsUpdate Corporate site. 

Other information: 

Acknowledgments

Microsoft thanks  Josha Bronson of AngryPacket Security and w00w00 for 
reporting this issue to us and working with us to protect customers. 

Support: 

Microsoft Knowledge Base article Q321309 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. 
Knowledge Base articles can be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. 
There is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides 
additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation or 
its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

V1.0 (April 16, 2002): Bulletin Created. 

[***** End Microsoft Security Bulletin MS02-019 *****
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-059: Red Hat "groff" Vulnerability
M-060: JRE Bytecode Verifier Vulnerability
M-061: HP VVOS Web proxy Vulnerability
M-062: Double Free Bug in zlib Compression Library
M-063: Microsoft Internet Explorer Vulnerabilities
CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
M-064: Cisco web interface vulnerabilities in ACS for Windows
M-065: Red Hat Race Conditions in "logwatch"
M-066: Microsoft Cumulative Patch for Internet Information Services (IIS) Vulnerabilities
M-067: SGI Mail, mailx, sort, timed, and gzip Vulnerabilities



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH