COMMAND

    winword.exe,, iexplorer.exe

SYSTEMS AFFECTED

    Systems with WinWORD 97, IE 4.x/5

PROBLEM

    Following  is  based  on  Microsoft  Security Bulletin.  There's a
    vulnerability in Word 97 which could permit macros to run  without
    warning  the  user  when  the  user  opens  a  document based on a
    template containing macros. A malicious hacker could exploit  this
    vulnerability  to  cause  malicious  macro  code to be run without
    warning if  a user  opens a  Word attachment  that was  sent by  a
    malicious  hacker,  or  posted  on  a  web  site controlled by the
    malicious hacker.  This malicious macro could possibly be used  to
    damage or retrieve data on a user's system.

    Vesselin Vladimirov Bontchev,  who seems to  found this one  added
    following.  Essentially,  if you are  using Internet Explorer  4.x
    or 5.x and Word 97 (the  beta, the original release, SR-1, or  the
    SR-2 patch), you  are vulnerable.   Vulnerable, in the  sense that
    just  visting  a  Web  page  can  result  in running a hostile VBA
    program on your  machine without any  warnings.  If,  in addition,
    you  are  using  Outlook  (any  version  of it), you are even more
    vulnerable - the  attacker can run  a hostile VBA  program on your
    machine by just sending you  an HTML e-mail message. (The  hostile
    program will be run  when you just VIEW  the message - no  need to
    click  on  any  links.)   The  hostile  program  can do just about
    anything (drop a virus, delete files, steal information) - VBA  is
    an extremely  powerful language  - and  very easily.   The problem
    consists of several  parts. The first  part is caused  by the fact
    that    by    default    IE    4.x/5.x    automatically   launches
    Word/Excel/PowerPoint  to  view  URLs  which  point to DOC/XLS/PPT
    files  (and  all  other  file  extensions for these applications).
    That is, you  are not given  the option to  save the file  to disk
    instead of opening it. If the file contains hostile macros,  these
    macros could be executed by the respective application.

    Microsoft  "protects"  you  from  such  attacks with the so-called
    built-in macro virus protection of  the Office 97 versions of  the
    applications mentioned above.   That is, if  the document you  are
    trying to open contains any macros, the application will display a
    warning by default (this can be easily turned off) and will  offer
    you the options  to open the  document as is,  to open it  without
    the macros (the default),  or not to open  it at all. Please  note
    that this protection is available only in Office 97 - the previous
    versions of  these applications  do not  have it  (except the rare
    Word 7.0a). But they aren't vulnerable to the attack anyway.  This
    protection has several  problems.  First  of all, it  often causes
    false positives  - it  sometimes triggers  even when  the document
    does not contain any macros.  This often causes people to turn  it
    off.  Second, it doesn't tell you whether the document contains  a
    virus or not  - it just  warns you about  the generic presense  of
    macros.  Third, and worst of all, the Word 97 implementation of it
    contains a serious security hole.  When Word 97 opens a  document,
    the  built-in  macro  virus  protection  checks  this document for
    macros (VBA modules).  However, it doesn't perform a similar check
    on the template this document is based on - and, if this  template
    contains any auto macros, they will be executed when the  document
    based on it is opened. Without any warnings whatsoever.  The third
    part of the problem is the  most substantial one - the part  which
    makes this attack easy to  carry out remotely. Note that  bad guys
    have figured out  this already -  there is at  least one Web  site
    which tempts the  user to click  on a link  allegedly containing a
    "list of sex sites passwords" and which uses this attack to infect
    the user's machine with a macro virus which infects both Word  97,
    Excel 97 and PowerPoint 97 documents.   So, the third part of  the
    problem is caused by the fact that when specifying the template  a
    Word 97 document  is based on,  you can specify  not just a  local
    file but also an URL.   The previous versions of Word do  not have
    this capability, therefore they are not vulnerable to this attack.

SOLUTION

    The  Word  97  Template  Security  Patch  prevents  a  hacker from
    exploiting this vulnerability.  After installing the patch,  users
    will be warned before they  launch a document based on  a template
    that contains macros.  Installing  the patch will not disable  the
    use of templates or macros on templates.  Customers can obtain the
    patch from the free Office  Update service.  To obtain  this patch
    using Office Update, visit the Office Update site at

        http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm

    Also, make the necessary changes so that IE offers you the  option
    to  save  the  remote  DOC/DOT  files  instead  of   automatically
    launching Word  to view  them.   In order  to do  this, start  the
    Explorer  (the  file  explorer,  not IE), select View/Options/File
    Types, find the types Microsoft Word <anything> (where  <anything>
    stands for Addin, Backup Document, Document, Template, Wizard  and
    anything  else  you  find  there),  select  each  one  of  them in
    sequence, click on the Edit button and make sure that the checkbox
    labeled  "Confirm  Open  After  Download"  (near the bottom of the
    dialog that appears) is checked.