Multiple Vulnerabilities in Microsoft's Office Web Components ActiveX Control
Three vulnerabilities exist in the ActiveX control of Microsoft’s Office Web Components 2002 and 2000. These vulnerabilities result from problems in the following methods and functions included in the ActiveX control.
August 22, 2002
Reported August 21, 2002, byMicrosoft.
VERSIONS AFFECTED
· MicrosoftOffice Web Components 2002 and 2000
MicrosoftProducts that include Office WebComponents:
Microsoft Money 2002 and 2003
Microsoft BizTalk Server 2002 and 2000
Microsoft BackOffice Server 2000
Microsoft Commerce Server 2002 and 2000
Microsoft Internet Security and Acceleration Server 2000
Microsoft Office XP
Microsoft Project 2002
Microsoft Project Server 2002
Microsoft Small Business Server 2000
DESCRIPTION
Threevulnerabilities exist in the ActiveX control of Microsoft’s Office WebComponents 2002 and 2000. These vulnerabilities result from problems in thefollowing methods and functions included in the ActiveX control:
· Host(). This function provides the caller with access toapplications’ object models on the user’s system. By using the Host()function, an attacker can open an Office application on the vulnerable systemand invoke commands under the user’s security context.
· LoadText(). This method lets a Web page load text into abrowser window. The method checks that the source of the text is in the samedomain as the window and should restrict the page to loading only text that ithosts itself. An attacker can bypass this restriction by specifying a textsource located within the Web page’s domain, and then setting up a server-sideredirect of that text to a file on the user’s system. An attacker can thenread any file on the vulnerable user’s system.
· Copy()/Paste(). These methods let a user copy and pastetext. A vulnerability stems from the fact that the method doesn't respect the“disallow paste via script” security setting in Microsoft Internet Explorer(IE). As a result, even if the user selects this security setting in IE, anattacker can use the Web page to continue to access the copy buffer and read anytext that the vulnerable user had copied or cut from within other applications.
VENDOR RESPONSE
Thevendor, Microsoft, has released SecurityBulletin MS02-044(Unsafe Functions in Office Web Components) to address these vulnerabilities andrecommends that affected users download and apply the appropriate patchmentioned in the bulletin.
CREDIT
Discovered by Microsoft.
Read more about:
MicrosoftAbout the Author
You May Also Like