Office 2000: UA Control Vulnerability

Microsoft, today released a patch that eliminates a security vulnerability in Office 2000 that "could allow a malicious web site operator to take inappropriate action on the computer of a user who visited his web site."

The basic flaw is that an ActiveX control that ships as part of Office 2000
was incorrectly marked as "safe for scripting."
This control, known as the Office 2000 UA Control, is "used by the
so called ‘Show Me’ function in Office Help, and allows Office functions
to be scripted." According to a Security Bulletin sent out by Microsoft
today. "A malicious web site operator could use the control to carry out
Office functions on the machine of a user who visited his site."

Weld Pond of the @Stake Inc., L0pht Research Labs adds though:
"A disappointing part of this security bulletin is where Microsoft
describes the problem…they neglect to mention the very serious problem
of receiving malicious HTML files via a web enabled mail client such as Outlook.
Malicious web pages are a minor problem. Email viruses and worms are a very serious
problem. They spread exponentially and are harder to track."

A temporary solution according to Weld is to disable Active Scripting in all Office
2000 applications, and in Internet Explorer. “It is no longer sufficient to turn
on macro virus protection, as this vulnerability allow those settings to be circumvented.”
He adds.

The control ships only as part of Office 2000 and individual applications in Office,
such as Word 2000 and PowerPoint 2000. According to Microsoft, the patch removes
all "unsafe functionality;" with the result that the 'Show Me' function will be disabled in
Office 2000.

The patch is available at FileForum and at Microsoft’s site:
http://officeupdate.microsoft.com/info/ocx.htm

As a note of warning Weld adds that: "As long as IE, Outlook and Windows are so tightly
coupled every 'malicious web site' vulnerability is a potential Outlook vulnerability that
could be much, much worse."