Multiple Vulnerabilities in Microsoft's Office Web Components ActiveX Control

Three vulnerabilities exist in the ActiveX control of Microsoft’s Office Web Components 2002 and 2000. These vulnerabilities result from problems in the following methods and functions included in the ActiveX control.

Ken Pfeil

August 22, 2002

4 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported August 21, 2002, byMicrosoft.

VERSIONS AFFECTED

 

·        MicrosoftOffice Web Components 2002 and 2000

 

MicrosoftProducts that include Office WebComponents:

 

  • Microsoft Money 2002 and 2003

  • Microsoft BizTalk Server 2002 and 2000

  • Microsoft BackOffice Server 2000

  • Microsoft Commerce Server 2002 and 2000

  • Microsoft Internet Security and Acceleration Server 2000

  • Microsoft Office XP

  • Microsoft Project 2002

  • Microsoft Project Server 2002

  • Microsoft Small Business Server 2000

 

DESCRIPTION

 

Threevulnerabilities exist in the ActiveX control of Microsoft’s Office WebComponents 2002 and 2000. These vulnerabilities result from problems in thefollowing methods and functions included in the ActiveX control:

 

·        Host(). This function provides the caller with access toapplications’ object models on the user’s system. By using the Host()function, an attacker can open an Office application on the vulnerable systemand invoke commands under the user’s security context.

 

·        LoadText(). This method lets a Web page load text into abrowser window. The method checks that the source of the text is in the samedomain as the window and should restrict the page to loading only text that ithosts itself. An attacker can bypass this restriction by specifying a textsource located within the Web page’s domain, and then setting up a server-sideredirect of that text to a file on the user’s system. An attacker can thenread any file on the vulnerable user’s system.

 

·        Copy()/Paste(). These methods let a user copy and pastetext. A vulnerability stems from the fact that the method doesn't respect the“disallow paste via script” security setting in Microsoft Internet Explorer(IE). As a result, even if the user selects this security setting in IE, anattacker can use the Web page to continue to access the copy buffer and read anytext that the vulnerable user had copied or cut from within other applications.

 

VENDOR RESPONSE

 

Thevendor, Microsoft, has released SecurityBulletin MS02-044(Unsafe Functions in Office Web Components) to address these vulnerabilities andrecommends that affected users download and apply the appropriate patchmentioned in the bulletin.

 

CREDIT
Discovered by Microsoft.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like