COMMAND

    Microsoft Office 2000 UA Control Scripting

SYSTEMS AFFECTED

    Microsoft Office 2000 on 95/98, NT 4.0 and 2000

PROBLEM

    Following  is  based  on  L0pht  Research  Labs Security Advisory.
    Microsoft  Office  2000  ships  with  an  ActiveX  control   named
    "Microsoft Office UA Control". It  is installed by default and  is
    categorized  as  being  "safe  for  scripting".   The  control  is
    undocumented, and  its interfaces  are presumably  used to  script
    "Show  Me"  demonstrations  for  Office  2000  help  and   'office
    assistant'  functionality.  Analysis  of  the  control's interface
    reveals functionality to script  almost any action in  Office 2000
    that the user could perform from the keyboard, including, but  not
    limited to,  lowering the  macro security  settings to  low.  This
    action  can  be  scripted  from  any  HTML page viewed with active
    scripting enabled,  including both  Internet Explorer  and Outlook
    e-mail in their default configurations.

    The Microsoft Office UA  control exports a powerful  interface for
    automating  commands  withing  the  Office  2000 environment.  The
    problem lies in the fact  that the control should -not-  be marked
    safe for  scripting.   The capabilities  of this  control are such
    that  scripting  it  via  remote  HTML  and email sources makes it
    extremely  dangerous.   A  demonstration  of  the   vulnerabilites
    associated with this control is provided below.

    The vulnerability demonstration performs the following actions:

        1. Start instance of Microsoft Word by pointing a table  frame
           to a word document URL with no macros or active content.
        2. Programatically create UA control
        3. Attach UA control to first instance of Microsoft Word
        4. Make Word the active application
        5. Show the Tools/Macro/Security dialog
        6. Click on the 'LOW' security radio button
        7. Click on the 'OK' button to confirm the change
        8. Proceed to  re-point a table  frame to a  word document URL
           with a macro, which runs without prompting.

    The  fact  that  this  control  exists  and  is  installed in this
    particular  fashion  would  permit  the  construction of a worm of
    unparalleled devastation, as  it would be  able to turn  off macro
    virus protection  and 'script'  it's way  to all  of the people in
    your address book.

    A demonstration of this vulnerability is available at:

        http://www3.l0pht.com/~dildog/ouahack/index.html

    This demonstration will set your Word 2000 macro security settings
    to 'LOW'. An option will be presented to set it back to 'HIGH'  or
    'MEDIUM'.  The demonstration  code is intentionally written  to be
    harmless,  but  a  worst  case  scenario could easily involve more
    malicious  code  to  perform  such  actions  as file modification,
    propagating  worms  and  virii,  or  providing  external access to
    internal network resources.

SOLUTION

    Disable Active Scripting in  all Office 2000 applications,  and in
    Internet Explorer.   It is no  longer sufficient to  turn on macro
    virus protection,  as this  vulnerability allow  those settings to
    be circumvented.  Vendor Response And Official Patch:

        http://officeupdate.microsoft.com/info/ocx.htm
        http://www.microsoft.com/technet/security/bulletin/ms00-034.asp