Symantec’s security response team has discovered that a carefully crafted document can bypass the normal macro protection provided by Microsoft Excel and PowerPoint even when the macro security configuration is set to High. Because this is a potentially serious vulnerability, we’re going to discuss the harm it can cause and the product versions that are affected, as well as providing links to the fixes.

The vulnerability
When opening Excel and PowerPoint documents, users are normally warned if the document contains any macros, since these files can easily carry viruses. Following proper security procedures, the macros (by default) don’t run unless they come from a trusted source or unless users specifically grant permission for the document to run the macros. Malicious macros in Word, Excel, and PowerPoint files are a well-known security threat, and security personnel routinely configure office PCs to trigger a warning to users when a macro is present in a document from an untrusted source.

Symantec’s discovery shows that a flaw in the Microsoft macro-checking routines Excel and PowerPoint use (but not the ones Word uses) enables some carefully crafted documents to bypass the security check. This allows the documents to be opened and any macros contained in the files to run automatically without first warning the user that a document contains macros.

The following versions of Microsoft Excel and PowerPoint for Windows and Macintosh are vulnerable:

  • Microsoft Excel 2000 for Windows
  • Microsoft Excel 2002 for Windows
  • Microsoft Excel 98 for Macintosh
  • Microsoft Excel 2001 for Macintosh
  • Microsoft PowerPoint 2000 for Windows
  • Microsoft PowerPoint 2002 for Windows
  • Microsoft PowerPoint 98 for Macintosh
  • Microsoft PowerPoint 2001 for Macintosh

The threat
Macros are powerful utilities that can be embedded in several types of Microsoft documents. These small programs can perform any task a user at the keyboard can initiate, including:

  • Altering or deleting files.
  • Linking to Web sites.
  • Altering security settings.

This vulnerability can bypass all the existing security settings related to macros in these documents because the software doesn’t even detect the presence of a macro. The only protection left against this form of attack is reliance on a good security policy forbidding individual users to open any Excel or PowerPoint document from an unknown source.

However, because most security policies tend to rely on the macro protection provided by the Excel and PowerPoint security model, which normally warns them if a document contains any macros, even people who are very security conscious may tend to be careless about opening these files.

The fix
Microsoft recommends that all users apply the necessary patches immediately. A series of patches for various versions of the software is already available from Microsoft. See Microsoft Security Bulletin MS01-050 for details and any recent updates to this information, as well as the latest links to the patches.

Links to patches

Have a comment?

We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.