Microsoft Security Bulletin MS01-028 RTF document linked to template can run macros without warning
Security Bulletin Issued by Microsoft May 21, 2001
The following is the list of vulnerable products:
- Microsoft Word 98 for the Mac
- Microsoft Word 2001 for the Mac
Summary
When Microsoft Word opens a RTF (Rich Text Format) file that contains a link to a template, only the RTF file is checked for macros. When a a macro is embedded into the template file that was opened from a link in the RTF file an attacker could set the macro to run automatically and execute commands without your authorization – you even knowing it.
Macros have the ability to run any command that the user would be able to run, from pasting text that says “j00 are 0wn3d” 3000 times to modifying the user’s security preferences in word so future documents aren’t checked for macros!
Patches/Fixes
Microsoft Word 98 for the Mac:
English Download BinHqx Format
Japanese Download BinHqx Format
Microsoft Word 2001 for the Mac:
Office 2001 for Mac Service Release 1
For more instructions about the Mac OS versions of this security flaw visit Microsoft’s website
Facts About This Vulnerability
From the Microsoft Security Bulletin
The vulnerability only affects Word. Other Office products are not affected.
The vulnerability does not occur when opening Word documents, only when opening RTF documents, and even then only when the RTF document is linked to a template.
What Is a Template
From the Microsoft Security Bulletin
A template can be thought of as a skeleton document. For instance, a template of a research paper might define the needed styles, include pre-built headers and footers, and include any required boilerplate text. When a user needs to create a new research paper, she could use the template as a foundation upon which to develop her actual paper.
What Could the Macro Do?
From the Microsoft Security Bulletin
The macro would be able to take any action that the user herself could take on her machine. This would include adding, changing or deleting files, communicating with a web site, reformatting the hard drive, and so forth.
It’s worth noting that a macro also could change the user’s security setting. This could include disabling macro protection. As a result, if the user were attacked via this vulnerability, one of the outcomes could be that the user’s security settings would be reduced, and other macros that normally would be stopped by Word would now be able to run.