Multiple Vulnerabilities in Microsoft's Office Web Components ActiveX Control

Reported August 21, 2002, byMicrosoft.

VERSIONS AFFECTED

·        MicrosoftOffice Web Components 2002 and 2000

MicrosoftProducts that include Office WebComponents:

DESCRIPTION

Threevulnerabilities exist in the ActiveX control of Microsoft’s Office WebComponents 2002 and 2000. These vulnerabilities result from problems in thefollowing methods and functions included in the ActiveX control:

·        Host(). This function provides the caller with access toapplications’ object models on the user’s system. By using the Host()function, an attacker can open an Office application on the vulnerable systemand invoke commands under the user’s security context.

·        LoadText(). This method lets a Web page load text into abrowser window. The method checks that the source of the text is in the samedomain as the window and should restrict the page to loading only text that ithosts itself. An attacker can bypass this restriction by specifying a textsource located within the Web page’s domain, and then setting up a server-sideredirect of that text to a file on the user’s system. An attacker can thenread any file on the vulnerable user’s system.

·        Copy()/Paste(). These methods let a user copy and pastetext. A vulnerability stems from the fact that the method doesn't respect the“disallow paste via script” security setting in Microsoft Internet Explorer(IE). As a result, even if the user selects this security setting in IE, anattacker can use the Web page to continue to access the copy buffer and read anytext that the vulnerable user had copied or cut from within other applications.

VENDOR RESPONSE

Thevendor, Microsoft, has released SecurityBulletin MS02-044(Unsafe Functions in Office Web Components) to address these vulnerabilities andrecommends that affected users download and apply the appropriate patchmentioned in the bulletin.

CREDIT
Discovered by Microsoft.