Spyware Doctor
Spyware Doctor with AntiVirus
PC Tools AntiVirus
PC Tools Internet Security
PC Tools Firewall Plus
ThreatFire
Spam Monitor
Registry Mechanic
Desktop Maestro
File Recover
Privacy Guardian
PC Tools Disk Suite
Spyware Doctor Enterprise
Help me choose
Flaw in Word Fields and Excel External Updates New
A security vulnerability exists in Microsoft Word and Excel which could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user's local computer.
Issue
Word and Excel provide a mechanism through which data from one document can be inserted to and updated in another document. This mechanism, known as field codes in Word and external updates in Excel, can be automated to reduce the amount of manual effort required by a user. An example of the use of Word field codes could be the automatic insertion of a standard disclaimer paragraph in a legal document. An example of the use of external updates in Excel could be the automatic updating of a chart in one spreadsheet using data in a different spreadsheet.
A vulnerability exists because it is possible to maliciously use field codes and external updates to steal information from a user without the user being aware. Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring, however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user’s local computer.
In order for an attacker to take advantage of this vulnerability, the attacker would need to perform the following steps:
- Craft a Word or Excel document that exploits the vulnerability
- Deliver it to the user, via email or some other method
- Entice the user to open the document
- Return the document to the attacker
Affected Products
- Microsoft Word 2002
- Microsoft Word 2000
- Microsoft Word 97
- Microsoft Word 98(J)
- Microsoft Word X for Macintosh
- Microsoft Word 2001 for Macintosh
- Microsoft Word 98 for Macintosh
- Microsoft Excel 2002
Download
Software patches are available from the following locations:
- Microsoft Word 2002
- Microsoft Word 2000
- Word 97/Word 98(J)
- Word X for Macintosh
- Word 2001 for Macintosh
- Word 98 for Macintosh
- Excel 2002
Further Details
Source: Microsoft Corporation
Reference: Microsoft Corporation
Updated: October 17, 2002
>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<
