Georgi Guninski Advisory #53: Multiple Vulnerabilities in Office XP (HTML Email/Host Function)

Key Information Summary Vulnerability Overview Vulnerability Type: Multiple security vulnerabilities in Office XP Vulnerability ID: Georgi Guninski security advisory #53, 2002 Version: Version 3.0 Affected Systems and Risk Level Affected Systems: Office XP Risk Level: High Release and Update Dates Release Date: 31 March 2002 Last Updated: 28 April 2002 Legal Disclaimer and Copyright Copyright: © 2002 Georgi Guninski Usage Notice: Cannot be modified or partially distributed without written permission from the author Vulnerability Description and Test Cases 1. Embedded Objects in HTML Emails: Office XP allows embedding objects and scripts in HTML emails. When a user chooses to reply or forward, the vulnerability is triggered, potentially forcing the user to access a specific webpage or executing code within the IE operation area. 2. Vulnerability in Excel Component: The Host() function in Office XP has a flaw. By exploiting Office applications or specific opened documents, attackers can create and partially write arbitrary files on the user’s computer, execute executable files, and potentially take control of the computer. 3. Actual Testing: Simply replying or forwarding an HTML email triggers the vulnerability and executes code, contradicting Microsoft’s claim that “no other actions will be performed.” Additionally, embedding the formula “=Host().SaveAs(name)” in an Excel component and providing a filename allows file creation. Recommendations and Solutions Solution: Use official email clients and Office applications. - For issue (1): Disable all items containing “active” content in IE. - For issues (2), (3), and (4) (not personally tested): Log out and remove the MS Office spreadsheet component. Vendor Status Notification Date: Microsoft was notified on 17 March 2002. Patch Status: They had two weeks to release a patch but failed to do so.

Goal Reached Thanks to every supporter — we hit 100%!

Georgi Guninski Advisory #53: Multiple Vulnerabilities in Office XP (HTML Email/Host Function)