[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3D4816AB.8020109@guninski.com>
From: guninski at guninski.com (Georgi Guninski)
Subject: IE and .xla may lead to problems
Georgi Guninski security advisory #57, 2002
IE and .xla may lead to problems
Systems affected:
Office XP + IE 6.0 + Win2K (probably others)
Risk: High
Date: 31 July 2002
Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.
If you want to link to this content use the URL:
http://www.guninski.com/iexla.html
Anything in this document may change without notice.
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
If an IE user visits specially designed web page, the page may created
almost arbitrary files on his computer. This may lead to executing arbitrary
programs on the user's computer.
Details:
This isn't quite new issue, but the involvement of IE in it makes it worth
noting. [1] (from March 2002) Describes a problems with ms spreadsheet
compononent [2] and in its Host() function which may be exploited to create
a file.
Microsoft tried to produce a partial patch on the issue, but the problem isn't
solved yet. It is still possible to create a .xls or .xla file which writes
files with the help of OWC. The .xla file may be just .html file with .xla
extension.
Note: the html formating of [1] is broken, so newlines should
be dealt with.
Another interesting problem is [3] from 2000. The key point in it is that
IE may invoke Excel with <object data="file.xla"></object>. Though not
visible, Excel executes "file.xla", which may contain tricks from
[1], so OWC does SaveAs().
So the ActiveX strange scheme is like this: IE -> Excel -> OWC -> Excel ->
SaveAs().
Workaround/Solution:
In IE disable "Run ActiveX controls and plugins"
Have not tested this personally but probably works:
Deregister and delete the ms office spreadsheet component and/or all the
OWC. This may be done from:
ControlPanel - Add/Remove programs - Office - Change (then look for OWC)
Vendor status:
Microsoft was notified several days ago - they have opened a case on this
report.
References
(available from www.guninski.com and public lists):
[1] Georgi Guninski security advisory #53, 2002 -
More Office XP problems - Version 3.0 - 31 March 2002
[2] The spreadsheet component from OWC is well documented on the office cds.
[3] Georgi Guninski security advisory #13, 2000
IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs
Regards,
Georgi Guninski
http://www.guninski.com
Powered by blists - more mailing lists