[15913] in bugtraq
Re: (New ?) Macro security hole in Word 97
daemon@ATHENA.MIT.EDU (Bronek Kozicki)
Sat Jul 22 19:27:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <001501bff41c$39326990$bb01a8c0@internal.getin.pl>
Date: Sat, 22 Jul 2000 22:34:24 +0200
Reply-To: Bronek Kozicki <brok@RUBIKON.PL>
From: Bronek Kozicki <brok@RUBIKON.PL>
X-To: "Bongard, Dominique" <Bongard.Dominique@PMINTL.CH>
To: BUGTRAQ@SECURITYFOCUS.COM
From: "Bongard, Dominique" <Bongard.Dominique@PMINTL.CH>
Sent: Friday, July 21, 2000 9:46 AM
> When the next user on my station opened word, the file was automatically
> opened, and the macro executed without asking for any confirmation.
I have found the same problem on Windows 2000, running MS Word 2000 (without
SR1). Temp file was saved in my private TEMP directory, not system-wide. I
have international (Polish) version of Windows 2000 and Office 2000.
Together with another vulnerability ("Force Feeding" - bugtraqid 1394) this
could be very dangerous - simple HTML may put
Auto_Recovery_of_eat_me_now.asd
in user's temp directory. When he/she starts MS Word, it will be
executed, regardless of Word macro setting. I have not tested it - "force
feeding" does not work for me.
Regards
B.
