Paul Wilders
April 2nd, 2002, 06:36 AM
Summary
Two new security vulnerabilities in Office XP has been discovered, one of the vulnerabilities will allow an attacker to cause an end user to execute arbitrary JavaScript automatically upon forwarding or replying to an email, the other allows saving of files to the user's local hard drive with the content we desire it to include.
Details
Systems affected:
Office XP
There are at least two new vulnerabilities in Office XP:
1. It is possible to embed active content (Object and Script) in HTML based emails that is triggered if the user chooses to reply or forward the email.
2. A bug in Microsoft's Spreadsheet component allows saving of local files to anywhere on the user's hard drive and to control the content of that file.
The vulnerability is caused by the Host() function (this vulnerability can be exploited remotely with the help of vulnerability #1). The Host() function allows creating of files with arbitrary names and control their content. This is sufficient to place an executable file (.HTA) in user's startup directory that would in turn allow taking full control over user's computer (This probably may be called Cross Application Scripting because one application uses object from another application).
-----
source: securiteam.com
Two new security vulnerabilities in Office XP has been discovered, one of the vulnerabilities will allow an attacker to cause an end user to execute arbitrary JavaScript automatically upon forwarding or replying to an email, the other allows saving of files to the user's local hard drive with the content we desire it to include.
Details
Systems affected:
Office XP
There are at least two new vulnerabilities in Office XP:
1. It is possible to embed active content (Object and Script) in HTML based emails that is triggered if the user chooses to reply or forward the email.
2. A bug in Microsoft's Spreadsheet component allows saving of local files to anywhere on the user's hard drive and to control the content of that file.
The vulnerability is caused by the Host() function (this vulnerability can be exploited remotely with the help of vulnerability #1). The Host() function allows creating of files with arbitrary names and control their content. This is sufficient to place an executable file (.HTA) in user's startup directory that would in turn allow taking full control over user's computer (This probably may be called Cross Application Scripting because one application uses object from another application).
-----
source: securiteam.com