COMMAND

    IE

SYSTEMS AFFECTED

    IE 5 and Excel 2000 & PowerPoint 2000

PROBLEM

    Georgi Guninski  found following.   Internet Explorer  5.01, Excel
    2000 and PowerPoint under  Windows 98 (suppose other  versions are
    also vulnerable,  have not  tested) allow  executing programs when
    viewing a web page or HTML  email message - in the latter  case at
    least with IFRAME.   This allows taking  full control over  user's
    computer.

    IE 5.01 allows  getting dangereous ActiveX  objects with the  help
    of the <OBJECT>  tag and Office  2000 applications.   For example,
    the following code loads a .xla file:

        <object data="Book1.xla" id="sh1" width=0 height=0></object>

    where Book1.xla is  just a .xls  file renamed to  .xla.  The  same
    result may be  achieved with a  .ppt or .xls  file, probably other
    Office 2000 file types.

    The result is having an object  in IE that has a method  SaveAs().
    Suppose there are more dangerous methods, have little knowledge on
    Office  2000  objects.   The  SaveAs  method  may  save  the Excel
    Workbook (or  Addin) or  PowerPoint object  in arbitrary location,
    including the Start Up folder.   The content of the saved file  is
    controllable and  depends on  the content  of Book1.xla.   If  the
    saved file is for example a  .hta file, it is possible to  execute
    arbitrary programs on the user's computer.

    The code is:

    <object data="Book1.xla" id="sh1" width=0 height=0>
    </object>
    <SCRIPT>
    function f()
    {
    fn="C:\\georgi-xla.hta";
    sh1.object.SaveAs(fn,6);
    //sh1.object.SaveAs("C:\\windows\\Start
    Menu\\Programs\\StartUp\\georgi-xla.hta",6);
    alert(fn+" sucessfully written");
    }
    setTimeout("f()",5000);
    </SCRIPT>

    Demonstration is available at:

        http://www.nat.bg/~joro/sheetex.html

    An interesting  point to  note is  that IE  will prompt  / disable
    (depending upon your security settings) the Excel execution before
    actually executing the OBJECT tag and JavaScript, unlike with  the
    Access example.  This is  probably due to IE executing  associated
    files from the  OBJECT tag before  sanity checking the  execution.
    Where as with  the Excel example,  a piece of  JavaScript actually
    writes to  the user's  hard disk  causing IE  to prevent this from
    executing until approved by the user.

SOLUTION

    Disable  Active  Scripting  or  Disable  Run  ActiveX controls and
    plug-ins.

    Patch availability:

        http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm
        http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm