Report # C4-072R-99 Date: 20 Dec 1999 Microsoft Office 97 Executable Content Security Risks and Countermeasures Architectures and Applications Division of the Systems and Network Attack Center (SNAC) Author(s): Rhonda Breon, C43 Released By: Ken Katano, C42 Curt Dukes, Chief C43 National Security Agency ATTN: C43 9800 Savage Rd. STE 6704 Ft. Meade, MD 20755-6704 (410) 854-6191commercial (410) 854-6510 facsimile UNCLASSIFIED Microsoft Office 97 Executable Content Security Risks and Countermeasures December 20, 1999 Version 1.0 Steven Bonner, Rhonda Breon, Edward Igoe, Ken Katano Executable Content Technology Team Systems and Network Attack Center National Security Agency ABSTRACT Office 97 is a popular software package of office applications developed by Microsoft that includes Word, Excel, Access, PowerPoint, and Outlook. Each of these applications includes a programming language for customization of their features. This paper provides an analysis of each application, including techniques for embedding executable content or mobile code within each application. Each analysis summarizes the execut- able content threat, provides examples of embedding executable content within each application, and outlines possible counter- measures to protect the user against executable content attacks. Microsoft Office 97 Executable Content December 20, 1999 Security Risks and Countermeasures UNCLASSIFIED Acknowledgements The authors would like to thank Neal Ziring for offering his technical expertise and guidance while conducting the research of the Office 97 applications. The authors would also like to thank Don Simard, Mary Kolencik, and Maan Qazzaz for reviewing this document and pro- viding comments that both improved its technical content and readability. Microsoft Office 97 Executable Content December 20, 1999 Security Risks and Countermeasures UNCLASSIFIED Table of Contents 1.0 Background....................................................................................................................1 2.0 Description.....................................................................................................................3 2.1 Word .................................................................................................................................................. 3 2.1.1 Overview ................................................................................................................................ 3 2.1.2 Threat Potential....................................................................................................................... 4 2.1.2.1Dissemination.................................................................................................................. 4 2.1.2.2Invocation........................................................................................................................4 2.1.2.3Capabilities...................................................................................................................... 5 2.1.2.4Ease of Use...................................................................................................................... 5 2.1.3 Example(s) ..............................................................................................................................5 2.1.4 Countermeasures .................................................................................................................... 6 2.1.5 Summary of Word .................................................................................................................. 7 2.2 Excel .................................................................................................................................................. 8 2.2.1 Overview ................................................................................................................................ 8 2.2.2 Threat Potential..................................................................................................................... 10 2.2.3 Examples .............................................................................................................................. 11 2.2.4 Countermeasures .................................................................................................................. 13 2.2.5 Summary of Excel ................................................................................................................ 14 2.3 Access .............................................................................................................................................. 14 2.3.1 Overview .............................................................................................................................. 14 2.3.2 Threat Potential..................................................................................................................... 14 2.3.3 Examples .............................................................................................................................. 15 2.3.4 Countermeasures .................................................................................................................. 15 2.3.5 Summary of Access .............................................................................................................. 18 2.4 PowerPoint ...................................................................................................................................... 18 2.4.1 Overview .............................................................................................................................. 18 2.4.2 Threat Potential..................................................................................................................... 18 2.4.2.1UserForms ..................................................................................................................... 20 2.4.2.2Templates ...................................................................................................................... 21 2.4.2.3Add-Ins.......................................................................................................................... 21 2.4.2.4Hyperlinks ..................................................................................................................... 22 2.4.2.5ActiveX Controls/Objects ............................................................................................. 23 2.4.2.6Running Programs & Macros from Action Buttons...................................................... 24 2.4.2.7Pack and Go Technology.............................................................................................. 25 2.4.3 Examples .............................................................................................................................. 25 2.4.4 Countermeasures .................................................................................................................. 28 2.4.5 Summary of PowerPoint....................................................................................................... 28 2.5 Outlook 98 ....................................................................................................................................... 29 2.5.1 Overview .............................................................................................................................. 29 2.5.2 Threat Potential..................................................................................................................... 29 2.5.3 Examples .............................................................................................................................. 31 2.5.4 Countermeasures .................................................................................................................. 33 2.5.5 Summary of Outlook ............................................................................................................ 35 3.0 Conclusions..................................................................................................................35 4.0 Appendix A: Macros within a PowerPoint UserForm.................................................38 5.0 Appendix B: Recommended Outlook Security Settings..............................................40 6.0 References....................................................................................................................43 Microsoft Office 97 Executable Content December 20, 1999 Security Risks and Countermeasures UNCLASSIFIED Microsoft Office 97 Executable Content Security Risks and Countermeasures (U) Executable Content Technology Team Systems and Network Attack Center National Security Agency 1.0Background The Microsoft Office 97 suite includes five separate office applications: Word provides word processing capability, Excel is a spreadsheet application, Access is a database package, Pow- erPoint facilitates the creation of slide shows or presentations, and Outlook is a mail/group- ware application. Office 97 runs on Microsoft Windows 95, Windows 98, and Windows NT 3.51 with Service Pack 5 and later versions. Each application features customization capabil- ity to satisfy the user’s specialized requirements. This customization includes the ability to embed programming instructions within the applications to perform many useful activities. For example, the user can create a button within an Outlook email message that automatically sends responses to a survey back to the sender. However, this customization capability can also be used to perform malicious