Symantec's security response team has discovered that a carefully crafted document can bypass the normal macro protection provided by Microsoft Excel and PowerPoint even when the macro security configuration is set to High. Because this is a potentially serious vulnerability, we're going to discuss the harm it can cause and the product versions that are affected, as well as providing links to the fixes.

The vulnerability

When opening Excel and PowerPoint documents, users are normally warned if the document contains any macros, since these files can easily carry viruses. Following proper security procedures, the macros (by default) don't run unless they come from a trusted source or unless users specifically grant permission for the document to run the macros. Malicious macros in Word, Excel, and PowerPoint files are a well-known security threat, and security personnel routinely configure office PCs to trigger a warning to users when a macro is present in a document from an untrusted source.

Symantec's discovery shows that a flaw in the Microsoft macro-checking routines Excel and PowerPoint use (but not the ones Word uses) enables some carefully crafted documents to bypass the security check. This allows the documents to be opened and any macros contained in the files to run automatically without first warning the user that a document contains macros.

Applicability

The following versions of Microsoft Excel and PowerPoint for Windows and Macintosh are vulnerable:

• Microsoft Excel 2000 for Windows
• Microsoft Excel 2002 for Windows
• Microsoft Excel 98 for Macintosh
• Microsoft Excel 2001 for Macintosh
• Microsoft PowerPoint 2000 for Windows
• Microsoft PowerPoint 2002 for Windows
• Microsoft PowerPoint 98 for Macintosh
• Microsoft PowerPoint 2001 for Macintosh

Macros are powerful utilities that can be embedded in several types of Microsoft documents. These small programs can perform any task a user at the keyboard can initiate, including:

• Altering or deleting files.
• Linking to Web sites.
• Altering security settings.

However, because most security policies tend to rely on the macro protection provided by the Excel and PowerPoint security model, which normally warns them if a document contains any macros, even people who are very security conscious may tend to be careless about opening these files.

The fix

Microsoft recommends that all users apply the necessary patches immediately. A series of patches for various versions of the software is already available from Microsoft. See Microsoft Security Bulletin MS01-050 for details and any recent updates to this information, as well as the latest links to the patches.

Links to patches

• Microsoft Excel 2000 for Windows
• Microsoft Excel 2002 for Windows
• Microsoft Excel 98 for Macintosh
• Microsoft Excel 2001 for Macintosh
• Microsoft PowerPoint 2000 for Windows
• Microsoft PowerPoint 2002 for Windows
• Microsoft PowerPoint 98 for Macintosh
• Microsoft PowerPoint 2001 for Macintosh

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

© 2001 TechRepublic, Inc.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.