DOCSLIB.ORG

Microsoft Office 2000 Executable Content Security Risks and Countermeasures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Microsoft Office 2000 Executable Content Security Risks and Countermeasures UNCLASSIFIED Report # C4 -07R -02 Date 02/08/2002 Microsoft Office 2000 Executable Content Security Risks and Countermeasures Executable Content Technology Team Systems and Network Attack Center (SNAC) Information Assurance Directorate Sheila Christman Mary Kolencik Released by Curt Dukes Trent Pitsenberger Chief, C43 Linda Smith Brett Sovereign National Security Ag ency ATTN: C43 9800 Savage Rd. STE 6704 (410) 854 -6191 commercial (410) 854 -6510 facsimile Ft. Meade, MD 20755 -6704 UNCLASSIFIED UNCLASSIFIED Microsoft Office 2000 Executable Content Security Risks and Countermeasures Prepared by: Brett Sovereign, C43 Released by: Curtis Dukes Chief, C43 Distribution: 1 - C 14 - DC324 Library No. S -248,496 2 - C Ch Sci 15 - V 3 - C Library 16 - V TD 4 - C1 17 - V2 5 - C11 18 - V3 6 - C12 19 - V4 7 - C3 20 - V5 8 - C4 21 - Vital Records 9 - C4 TD 22 - X 10 - C 41 23 - X TD 11 - C42 24 - X6 12 - C43 25 - X7 13 - C44 26 - X8 UNCLASS IFIED UNCLASSIFIED Abstract This paper provides an overview of the security threats from embedded scripts and binary executables in Office 2000 documents. It recommends ways to mitigate or counter these threats. The four applications covered in this paper are: Microsoft Word - the word processing application Microsoft Excel - the spreadsheet application Microsoft PowerPoint - the presentation application Microsoft Outlook - the mail/groupware application Microsoft Office 2000 includes a number of improvements to security compared to Office 97 as well as some new security features. This document describes these improvements and features, and suggests how best to configure and use the security in Office 2000 to prevent most executable content attacks. Acknowledgements The authors would like to thank Neal Ziring and Ken Katano, for reviewing and providing comments to the original drafts of this paper. UNCLASS IFIED UNCLASSIFIED Table of Contents 1 Introduction ................................ ................................ ................................ ............................. 1 2 Definitions and Background ................................ ................................ ................................ ... 1 2.1 Executable Content and Mobi le Code ................................ ................................ ............ 1 2.2 Customizations of Office Applications ................................ ................................ ........... 2 2.3 Threat and Countermeasure ................................ ................................ ............................ 3 3 Common Office 2000 Security Features ................................ ................................ ................. 3 3.1 Background: Security in Office 97 ................................ ................................ ................. 3 3.2 Security in Office 2000 Word, Excel, and PowerPoint ................................ .................. 4 3.3 Hot Fixes, Patches, and Updates ................................ ................................ ..................... 9 4 Microsoft Word ................................ ................................ ................................ ....................... 9 4.1 Overview ................................ ................................ ................................ ....................... 10 4.2 Threat Potential ................................ ................................ ................................ ............. 11 4.3 Countermeasures for Word ................................ ................................ ........................... 14 4.4 Summary ................................ ................................ ................................ ....................... 15 5 Microsoft Excel ................................ ................................ ................................ ..................... 15 5.1 Overview ................................ ................................ ................................ ....................... 15 5.2 Threats And Vulnerabilities ................................ ................................ .......................... 16 5.3 Countermeasures for Excel ................................ ................................ ........................... 18 5.4 Summary ................................ ................................ ................................ ....................... 18 6 Microsoft PowerPoint ................................ ................................ ................................ ........... 19 6.1 Overview ................................ ................................ ................................ ....................... 19 6.2 Threat Potential ................................ ................................ ................................ ............. 19 6.3 Countermeasures for PowerPoint ................................ ................................ ................. 20 6.4 Summary ................................ ................................ ................................ ....................... 21 7 Microsoft Outlook ................................ ................................ ................................ ................. 21 7.1 Overview ................................ ................................ ................................ ....................... 21 7.2 Threa t Potential ................................ ................................ ................................ ............. 22 7.3 Configuration Recommendations ................................ ................................ ................. 24 7.4 Summary ................................ ................................ ................................ ....................... 29 8 Summary of Op timum Settings and Countermeasures ................................ ......................... 29 9 Conclusions ................................ ................................ ................................ ........................... 30 10 References and Resources ................................ ................................ ................................ 31 Appendix A Registry Settings for Office 2000 ................................ ................................ ............. 32 Appendix B Level 1 Attachments for Outlook Attachment Security Patch ................................ 34 UNCLASSIFIED UNCLASSIFIED 1 Introduction In late 1999, the NSA published a report describing a security analysis of Microsoft Office 97, which is available at http://www.nsa.gov [1]. This paper is an update covering Microsoft Office 2000 SR 1a running on Windows NT with SP4 or later, or Windows 2000. The four components covered in this paper are Microsoft Word – the word processing application Microsoft Excel – the spreadsheet application Microsoft PowerPoint – the presentation application Microsoft Outlook – the mail/groupware application Microsoft Office 2000 includes a number of improvements to security as well as some new security features. This document describes these improvements and features, and suggests how best to configure and use the security in Office 2000 to prevent most executable content attacks. 2 Definitions and Background 2.1 Executable Content and Mobile Code In general terms, an executable content format is one that supports initiation of execution as a side effect of manipulating or viewing the data or its presentation. Mobile code refers to data that is obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or initiation of execution by the recipient. By this definition, not all mobile code is executable content, but most executable content threats utilize mobile code delivery systems such as e-mail and web pages to spread. Microsoft Office 95, 97, and 2000 include the Visual Basic for Applications (VBA) language in Word, Excel and PowerPoint.1 VBA is derived from Visual Basic and is an interpreted extension language to allow a user to customize the individual Microsoft Office applications. Microsoft licenses VBA to other software vendors to include in their products, and the security concerns are similar. Since the implementation of VBA allows a data format (e.g. Word document) to include code that executes automatically without initiation by the user (e.g. an AutoOpen macro), VBA is executable content. VBA enabled formats also fit the definition of mobile code since documents, spreadsheets, and presentations can be sent over a network as e-mail attachments or can be opened in Internet Explorer (a web browser). For simplicity, this paper will use the term executable content rather than mobile code. 1 Access and Frontpage also include VBA, but those products will not be covered in this paper since their security features and settings are different from the other main components of Office 2000. Prior to Office 95, only Microsoft Word 6.0 included an extension language, and that was WordBasic. The Office 95 implementation of VBA and Word 6.0’s WordBasic will not be covered in any detail in this paper. 1 UNCLASSIFIED UNCLASSIFIED 2.2 Customizations of Office Applications 2.2.1 The purpose of VBA Macros and ActiveX The Microsoft Office applications have extensive built-in functionality. However, there are times when a user may want to customize or add to that functionality. For example, in Word there is no built-in button to print just the current page. The user has to select the File menu, select Print, select Current Page, and select Okay – four mouse clicks. A button on the
Load more

Recommended publications
  • The Microsoft Office Open XML Formats New File Formats for “Office 12”
    The Microsoft Office Open XML Formats New File Formats for “Office 12” White Paper Published: June 2005 For the latest information, please see http://www.microsoft.com/office/wave12 Contents Introduction ...............................................................................................................................1 From .doc to .docx: a brief history of the Office file formats.................................................1 Benefits of the Microsoft Office Open XML Formats ................................................................2 Integration with Business Data .............................................................................................2 Openness and Transparency ...............................................................................................4 Robustness...........................................................................................................................7 Description of the Microsoft Office Open XML Format .............................................................9 Document Parts....................................................................................................................9 Microsoft Office Open XML Format specifications ...............................................................9 Compatibility with new file formats........................................................................................9 For more information ..............................................................................................................10
    [Show full text]
  • HOL: Building Solutions Using Microsoft Office Infopath 2003
    Hands-On Lab Lab Manual Building Solutions using Microsoft Office InfoPath 2003 Please do not remove this manual from the lab The lab manual will be available from CommNet Release Date: April 2005 m Information in this document is subject to change without notice. The example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarked, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ©2005 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, MS, Windows, Windows NT, MSDN, Active Directory, BizTalk, SQL Server, SharePoint, Outlook, PowerPoint, FrontPage, InfoPath, Visual Basic, Visual C++, Visual J++, Visual InterDev, Visual SourceSafe, Visual C#, Visual J#, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Other product and company names herein may be the trademarks of their respective owners. Notes Page 2 HOL: Building Solutions using Microsoft Office InfoPath 2003 HOL: Building Solutions using Microsoft Office InfoPath 2003 This lab will help turn you into a knowledgeable developer of InfoPath 2003 form solutions.
    [Show full text]
  • Vbscript Programmer's Reference
    Table of Contents VBScript Programmer's Reference...................................................................................................................1 Introduction.........................................................................................................................................................6 Who is this Book For?............................................................................................................................6 How to Use this Book.............................................................................................................................6 What is VBScript?..................................................................................................................................7 What Can You Do With VBScript?......................................................................................................11 What Tools Do You Need to Use VBScript?.......................................................................................14 What's New in VBScript 5?..................................................................................................................15 Code Conventions.................................................................................................................................17 Tell Us What You Think.......................................................................................................................17 Customer Support.................................................................................................................................18
    [Show full text]
  • Learning React Functional Web Development with React and Redux
    Learning React Functional Web Development with React and Redux Alex Banks and Eve Porcello Beijing Boston Farnham Sebastopol Tokyo Learning React by Alex Banks and Eve Porcello Copyright © 2017 Alex Banks and Eve Porcello. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com/safari). For more information, contact our corporate/insti‐ tutional sales department: 800-998-9938 or [email protected]. Editor: Allyson MacDonald Indexer: WordCo Indexing Services Production Editor: Melanie Yarbrough Interior Designer: David Futato Copyeditor: Colleen Toporek Cover Designer: Karen Montgomery Proofreader: Rachel Head Illustrator: Rebecca Demarest May 2017: First Edition Revision History for the First Edition 2017-04-26: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781491954621 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Learning React, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
    [Show full text]
  • Microsoft Office 2000 to 2003
    MICROSOFT OFFICE 2000 TO 2003 Table of Contents Page LESSON 1: INTRODUCTION..........................................................................1 ♦ Old Version Compatibility...........................................................................1 ♦ Task Pane.....................................................................................................1 ♦ Help..............................................................................................................3 ♦ Clip Art........................................................................................................6 ♦ Research.......................................................................................................9 ♦ The Clipboard............................................................................................10 ♦ Paste Options.............................................................................................13 ♦ System Security.........................................................................................14 LESSON 2: MICROSOFT WORD .................................................................16 ♦ AutoCorrect Options..................................................................................17 ♦ Smart Tags.................................................................................................19 ♦ Drawing Area.............................................................................................21 ♦ Styles and Formatting ................................................................................22
    [Show full text]
  • Microsoft Office 2000, First Course
    SYLLABUS Computer Concepts and Microsoft Office 2013 Illustrated Instructor: Ms. Lena Greff Office: Mott/Regent HS Phone: 1-701-824-2795 E-mail: [email protected] Website: http://mott.nd.schoolwebpages.com Course Description: As a student in this course, you will learn computer basics. First you will become familiar with computer hardware, software, file management and digital electronics. Next you will learn how to construct basic and complex internet searches. The next lesson covers browsing Subject Guides and how to find specialty information online. Finally you will be introduced to Microsoft Word 2013, Excel, Access, PowerPoint, Integration Outlook 2013, and the Cloud. Text/Materials: Text: Barker/Terry, Computer Concepts and Microsoft Office 2013 Illustrated (9781285092904), 2014. Software: Instructor will provide information on how to use these packages. Handouts: Additional handouts may be required. Instructor will provide information on obtaining this material. Teaching Methods: 1. Lectures: Important material from the text and outside sources will be covered in class. Students should plan to take careful notes as not all material can be found in the texts or readings. Discussion is encouraged as is student-procured outside material relevant to topics being covered. 2. Assignments: End of chapter and online activities will be assigned weekly to reinforce material in the text. These assignments may require the application of various software packages. 3. Quizzes: Occasional unannounced quizzes will be given to help ensure students stay up with assigned material. 4. Exams: Four exams will be given. The exams will be closed book/notes and will test assigned readings and material discussed in class.
    [Show full text]
  • Microsoft Office
    Microsoft Office MICROSOFT OFFICE INTRODUCTION Microsoft Office is an office suite of desktop applications, servers and services for the Microsoft Windows and OS X operating systems. It was first announced by Bill Gates of Microsoft on August 1, 1988 at COMDEX in Las Vegas. Initially a marketing term for a bundled set of applications, the first version of Office contained Microsoft Word, Microsoft Excel and Microsoft PowerPoint. Over the years, Office applications have grown substantially closer with shared features such as a common spell checker, OLEdata integration and Visual Basic for Applications scripting language. Microsoft also positions Office as a development platform for line-of-business software under the Office Business Applications brand. On 10 July 2012, Softpedia reported that Office is used by over a billion people worldwide. The current versions are Office 2013 for Windows, released on October 11, 2012; and Office 2011 for OS X, released October 26, 2010 On 24 October 2012, the RTM final code of Office 2013 Professional Plus was released to TechNet and MSDN subscribers for download. On 15 November 2012, the 60-day trial version of Office 2013 Professional Plus was released for download. All devices running Windows Phone and Windows RT come pre-installed with Office Mobile and Office RT, respectively. Office Mobile is also available for Android phones and the iPhone. A version of Office for the iPad was launched in March 2014. A web-based version of Office called Office Online, is also available COMPONENTS Word Microsoft Word is a word processor and was previously considered the main program in Office.
    [Show full text]
  • Microsoft Word 1 Microsoft Word
    Microsoft Word 1 Microsoft Word Microsoft Office Word 2007 in Windows Vista Developer(s) Microsoft Stable release 12.0.6425.1000 (2007 SP2) / April 28, 2009 Operating system Microsoft Windows Type Word processor License Proprietary EULA [1] Website Microsoft Word Windows Microsoft Word 2008 in Mac OS X 10.5. Developer(s) Microsoft Stable release 12.2.1 Build 090605 (2008) / August 6, 2009 Operating system Mac OS X Type Word processor License Proprietary EULA [2] Website Microsoft Word Mac Microsoft Word is Microsoft's word processing software. It was first released in 1983 under the name Multi-Tool Word for Xenix systems.[3] [4] [5] Versions were later written for several other platforms including IBM PCs running DOS (1983), the Apple Macintosh (1984), SCO UNIX, OS/2 and Microsoft Windows (1989). It is a component of the Microsoft Office system; however, it is also sold as a standalone product and included in Microsoft Microsoft Word 2 Works Suite. Beginning with the 2003 version, the branding was revised to emphasize Word's identity as a component within the Office suite; Microsoft began calling it Microsoft Office Word instead of merely Microsoft Word. The latest releases are Word 2007 for Windows and Word 2008 for Mac OS X, while Word 2007 can also be run emulated on Linux[6] . There are commercially available add-ins that expand the functionality of Microsoft Word. History Word 1981 to 1989 Concepts and ideas of Word were brought from Bravo, the original GUI writing word processor developed at Xerox PARC.[7] [8] On February 1, 1983, development on what was originally named Multi-Tool Word began.
    [Show full text]
  • Getting Started with Windows Scripting
    Getting Started with Windows Scripting art I of the PowerShell, VBScript, and JScript Bible intro- IN THIS PART duces you to the powerful administrative tool that is Windows scripting. You’ll get an overview of Windows Chapter 1 P Introducing Windows Scripting scripting and its potential, and an introduction to three tech- nologies you can use for Windows scripting: VBScript, JScript, Chapter 2 and PowerShell. VBScript Essentials Chapter 3 JScript Essentials Chapter 4 PowerShell Fundamentals COPYRIGHTED MATERIAL 886804c01.indd6804c01.indd 1 11/21/09/21/09 11:16:17:16:17 PPMM 86804c01.indd 2 1/21/09 1:16:18 PM Introducing Windows Scripting indows scripting gives everyday users and administrators the ability to automate repetitive tasks, complete activities while IN THIS CHAPTER away from the computer, and perform many other time-saving W Introducing Windows scripting activities. Windows scripting accomplishes all of this by enabling you to create tools to automate tasks that would otherwise be handled manually, Why script Windows? such as creating user accounts, generating log files, managing print queues, or examining system information. By eliminating manual processes, you Getting to know can double, triple, or even quadruple your productivity and become more Windows Script Host effective and efficient at your job. Best of all, scripts are easy to create and Understanding the Windows you can rapidly develop prototypes of applications, procedures, and utili- scripting architecture ties; and then enhance these prototypes to get exactly what you need, or just throw them away and begin again. This ease of use gives you the flex- ibility to create the kinds of tools you need without a lot of fuss.
    [Show full text]
  • Microsoft Office 2000 Is a Collection of the Most Popular, Widely-Used Office Productivity Software on the Market1
    Susan H. Carper Old Dominion University OTED 785 Fall 2002 CURRICULUM FOUNDATIONS DEFINITION OF MICROSOFT OFFICE Microsoft Office is a software suite that includes several productivity applications. Microsoft Office can include applications such as Word, Excel, Access, PowerPoint, FrontPage, Outlook, Publisher, and Internet Explorer among others. This curriculum focuses on the four most commonly used Microsoft Office applications, Word, Excel, Access, and PowerPoint. Knowledge of the basic skills of Microsoft Office will prepare students to stand out in the workplace. Microsoft Office allows the user to work more efficiently, communicate better, and improve the appearance of documents created. RATIONALE FOR STUDYING MICROSOFT OFFICE Microsoft Office 2000 is a collection of the most popular, widely-used office productivity software on the market1. Work environments, educational institutions, and home systems are usually equipped with this software. In today’s society, basic computer skills are necessary to one’s success in the working world. Computer applications are used in professions ranging from CEO of a company to running a cash register in a grocery store. Microsoft Office allows users to do simple tasks such as typing a letter in Word or complex tasks like creating an accounts payable database in Access. On an individual level, Microsoft Office is beneficial as well. A person can keep track of finances with Excel or Access, create an address database for Christmas cards, or combine the functions of Access and Word to create address labels for the Christmas cards. In Virginia’s K-12 general education, Standard C/T 12.2 of the Standards of Learning for computer/technology include four tasks students should know including2: Use advanced features of word processing, desktop publishing, graphics programs, and utilities in learning activities.
    [Show full text]
  • Tyson Kopczynski
    www.it-ebooks.info Tyson Kopczynski Windows® PowerShell UNLEASHED 800 East 96th Street, Indianapolis, Indiana 46240 USA www.it-ebooks.info Windows® PowerShell Unleashed Editor-in-Chief Copyright © 2007 by Sams Publishing Karen Gettman All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, Senior Acquisitions or otherwise, without written permission from the publisher. No patent liability is Editor assumed with respect to the use of the information contained herein. Although every Neil Rowe precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for Development Editor damages resulting from the use of the information contained herein. Mark Renfrow International Standard Book Number: 0-672-32953-0 Managing Editor Library of Congress Cataloging-in-Publication Data Gina Kanouse Kopczynski, Tyson. Project Editor Microsoft PowerShell unleashed / Tyson Kopczynski. George E. Nedeff p. cm. ISBN 0-672-32953-0 Copy Editor 1. Microsoft Windows (Computer file) 2. Operating systems (Computers) I. Title. Lisa M. Lord QA76.76.O63K66 2007 Senior Indexer 005.4’46—dc22 Cheryl Lenser 2007008894 Proofreader Printed in the United States of America Water Crest First Printing: Publishing 10090807 4321 Contributing Authors Trademarks Pete Handley, Mark All terms mentioned in this book that are known to be trademarks or service marks Weinhardt, and have been appropriately capitalized. Sams Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the Josh Tolle validity of any trademark or service mark.
    [Show full text]
  • Microsoft AJAX Library Essentials Client-Side ASP.NET AJAX 1.0 Explained
    Microsoft AJAX Library Essentials Client-side ASP.NET AJAX 1.0 Explained A practical tutorial to using Microsoft AJAX Library to enhance the user experience of your ASP.NET Web Applications Bogdan Brinzarea Cristian Darie BIRMINGHAM - MUMBAI Microsoft AJAX Library Essentials Client-side ASP.NET AJAX 1.0 Explained Copyright © 2007 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: July 2007 Production Reference: 1230707 Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK. ISBN 978-1-847190-98-7 www.packtpub.com Cover Image by www.visionwt.com Table of Contents Preface 1 Chapter 1: AJAX and ASP.NET 7 The Big Picture 8 AJAX and Web 2.0 10 Building
    [Show full text]