[15905] in bugtraq
Re: (New ?) Macro security hole in Word 97
daemon@ATHENA.MIT.EDU (Kuo, Jimmy)
Sat Jul 22 17:31:39 2000
MIME-Version: 1.0
Content-Type: text/plain
Message-ID: <75256BFE0332D4118969009027E77E7C0FB7BB@static-5-14.dhcp.nai.com>
Date: Fri, 21 Jul 2000 16:36:14 -0700
Reply-To: "Kuo, Jimmy" <Jimmy_Kuo@NAI.COM>
From: "Kuo, Jimmy" <Jimmy_Kuo@NAI.COM>
X-To: "Bongard, Dominique" <Bongard.Dominique@PMINTL.CH>
To: BUGTRAQ@SECURITYFOCUS.COM
For a little information into what .asd files are, see:
http://support.microsoft.com/support/kb/articles/Q77/5/33.ASP
Word97 will fetch .asd files from both the directory noted by your TEMP
environment variable, as well as the directory you set in Word via
Tools/Options/FileLocations/AutoRecoverFiles.
The file name quoted below is not necessary. Only that the extension needs
to be .asd. And such files will bypass the Macro Virus Protection checkbox
offerred by Word.
To not have auto* macros execute when this or any other DOCs are opened,
create a singular autoexec macro in a document named noauto.dot in the
STARTUP directory containing:
Public Sub MAIN()
WordBasic.DisableAutoMacros 1
End Sub
This and many other techniques can be found in my paper, Free Macro
AntiVirus Techniques, which can be found all over the web (except at our own
website), one such location being:
http://ourworld.compuserve.com/homepages/kenbechtel/free_en.htm
Jimmy Kuo
McAfee Fellow
> -----Original Message-----
> From: Bongard, Dominique [SMTP:Bongard.Dominique@PMINTL.CH]
> Sent: Friday, July 21, 2000 12:47 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: (New ?) Macro security hole in Word 97
>
> Hi,
>
> I find something very annoying yesterday, and I found no reference about
> it
> on security lists. So I will share it here.
>
> System used: NT4.0, word97
> Temp directory: C:\temp
>
> What I did is create a word document with an AutoOpen macro.
> I then saved the file in the temp and renammed it in :
>
> C:\temp\Auto_Recovery_Of_something.asd
>
> I then closed the session.
>
> When the next user on my station opened word, the file was automatically
> opened, and the macro executed without asking for any confirmation.
>
> Has anyone ever heard of this one ?
>
> Dominique Bongard
>
>
> ----------------------------------------------------------
> "They that can give up liberty to obtain a little temporary safety deserve
> neither liberty or safety" Benjamin Franklin
