lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <28915501A44DBA4587FE1019D675F98307C6DF@grfint.intern.adiscon.com>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)

Actually, this was the "dumb me" syndrome. After some research (reading
the fineprint ;)) I figured out that my workstation did not have Office
XP SP2 installed. That does not explain the why office update does not
work (http://office.microsoft.com/productupdate/), but at least I could
install.

OK, so I am guilty of not checking the system requirements. Agreed. Bash
me for this ;) But couldn't the error message be a bit more descriptive?
I wonder how many end users will simply stop at this point. On a test
machine, I also noticed that Office XP SP2 is not cummulative, so you
receive the same cryptic error message if you try to install SP2 but SP1
is not installed. I would suggest that SPs be cummulative in all
cases...

Rainer

> -----Original Message-----
> From: Rainer Gerhards 
> Sent: Thursday, September 04, 2003 10:39 AM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] FW: Microsoft Security Bulletin 
> MS03-035: Flaw in Microsoft Word Could Enable Macros to Run 
> Automatically(827653)
> 
> 
> Excellent piece of Microsoft software...
> 
> Can't even install it on Word 2002 German on WinXP German. The patch
> says (translated) "did not find the product expected". I then 
> tried the
> office update site. That fails with an general error, telling me I
> should review my security settings.
> 
> Bottom line: nice patch, but can't install...
> 
> Am I now guilty of lazyness if I do not patch?
> 
> Anyone else with similar problems?
> 
> Rainer Gerhards
> 
> > -----Original Message-----
> > From: Microsoft 
> > [mailto:0_51912_A303F73D-CBD5-4F48-8040-2B7DCAAAC7DF_DE@...sle
> > tters.Microsoft.com] 
> > Sent: Thursday, September 04, 2003 6:41 AM
> > To: Rainer Gerhards
> > Subject: Microsoft Security Bulletin MS03-035: Flaw in 
> > Microsoft Word Could Enable Macros to Run Automatically(827653)
> > 
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > 
> > - 
> -------------------------------------------------------------------
> > Title:     Flaw in Microsoft Word Could Enable Macros to Run 
> >            Automatically (827653)
> > Date:      September 3, 2003
> > Software:  Microsoft Word 97 
> >            Microsoft Word 98 (J) 
> >            Microsoft Word 2000 
> >            Microsoft Word 2002 
> >            Microsoft Works Suite 2001 
> >            Microsoft Works Suite 2002 
> >            Microsoft Works Suite 2003 
> > Impact:    Run macros without warning 
> > Max Risk:  Important
> > Bulletin:  MS03-035
> > 
> > Microsoft encourages customers to review the Security Bulletins at:
> >     
> > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp 
> > http://www.microsoft.com/security/security_bulletins/MS03-035.asp
> > 
> > - 
> -------------------------------------------------------------------
> > 
> > Issue:
> > ======
> > A macro is a series of commands and instructions that can be 
> > grouped together as a single command to accomplish a task 
> > automatically. Microsoft Word supports the use of macros to allow 
> > the automation of commonly performed tasks. Since macros are 
> > executable code it is possible to misuse them, so Microsoft Word 
> > has a security model designed to validate whether a macro should be 
> > allowed to execute depending on the level of macro security the 
> > user has chosen.
> > 
> > A vulnerability exists because it is possible for an attacker to 
> > craft a malicious document that will bypass the macro security 
> > model. If the document was opened, this flaw could allow a 
> > malicious macro embedded in the document to be executed 
> > automatically, regardless of the level at which macro security is 
> > set. The malicious macro could take the same actions that the user 
> > had permissions to carry out, such as adding, changing or deleting 
> > data or files, communicating with a web site or formatting the hard 
> > drive. 
> > 
> > The vulnerability could only be exploited by an attacker who 
> > persuaded a user to open a malicious document - there is no way for 
> > an attacker to force a malicious document to be opened.
> > 
> > Mitigating Factors:
> > ====================
> >  - The user must open the malicious document for an attacker to be 
> >    successful. An attacker cannot force the document to be opened 
> >    automatically. 
> > 
> >  - The vulnerability cannot be exploited automatically through e- 
> >    mail. A user must open an attachment sent in e-mail for an e-
> >    mail borne attack to be successful. 
> > 
> >  - By default, Outlook 2002 block programmatic access to the 
> >    Address Book. In addition, Outlook 98 and 2000 block 
> >    programmatic access to the Outlook Address Book if the Outlook 
> >    Email Security Update has been installed. Customers who use any 
> >    of these products would not be at risk of propagating an e-mail 
> >    borne attack that attempted to exploit this vulnerability. 
> > 
> >  - The vulnerability only affects Microsoft Word - other 
> members of  
> >    the Office product family are not affected. 
> > 
> > Risk Rating:
> > ============
> >  -Important
> > 
> > Patch Availability:
> > ===================
> >  - A patch is available to fix this vulnerability. Please read the 
> >    Security Bulletins at
> > 
> >   http://www.microsoft.com/technet/security/bulletin/MS03-035.asp 
> >   http://www.microsoft.com/security/security_bulletins/MS03-035.asp
> > 
> >    for information on obtaining this patch.
> > 
> > Acknowledgment:
> > ===============
> >  - Jim Bassett of Practitioners Publishing Company 
> > (http://www.ppcnet.com)
> > - 
> -------------------------------------------------------------------
> > 
> > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
> > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
> > ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES 
> > OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO 
> > EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR 
> > ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
> > CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
> > MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
> > POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
> > OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
> > SO THE FOREGOING LIMITATION MAY NOT APPLY.
> > 
> > 
> > 
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0.2
> > 
> > iQEVAwUBP1UvR40ZSRQxA/UrAQE0jwf8Dzm8/NCPSiH+BP7ePKRl66a9rawIDdlu
> > V+52lARZNbRkBNU00U8ImEzilgfIbgj0HZkcb4GpaQLUsPbYSuyiyu9PrKn0i+/j
> > JTaZOg48YJYZzhFOq+drUAMmwMQAkD3xb9fCrSxqET4/K4/55qiJW5uyOlH9RZ3K
> > BS6fhpmrQhOHGRU1gxWDbnRwWZmaqqMCr4WlGJZKZRH3L6kXwEfoH77Xq/v8BiXC
> > y0a6YqMpmA/Jd3Dpx8ByQBMTEfr2eHmMR9WDBowCip4iQ+p/Qorn8q6JpVlm8mhr
> > G+fCshh3bCiniTX5cXt+9B4yVqnpYXHefB0Vt5mfi6/bavgbiqdt4A==
> > =ZJEd
> > -----END PGP SIGNATURE-----
> > 
> > 
> > 
> > *******************************************************************
> > 
> > You have received this e-mail bulletin because of your 
> > subscription to the Microsoft Product Security Notification 
> > Service.  For more information on this service, please visit 
> > http://www.microsoft.com/technet/security/noti> fy.asp.
> >  
> > To 
> > verify the digital signature on this bulletin, 
> > please download our PGP key at 
> > http://www.microsoft.com/technet/security/noti> fy.asp.
> >  
> > To 
> > unsubscribe from the Microsoft Security 
> > Notification Service, please visit the Microsoft Profile 
> > Center at http://register.microsoft.com/regsys/pic.asp 
> >  
> > If you do not wish to use Microsoft Passport, you can 
> > unsubscribe from the Microsoft Security Notification Service 
> > via email as described below:
> > Reply to this message with the word UNSUBSCRIBE in the Subject line.
> >  
> > For security-related information about Microsoft products, 
> > please visit the Microsoft Security Advisor web site at 
> http://www.microsoft.com/security.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ