Article ID: 328130 - Last Review: December 4, 2007 - Revision: 4.9

Unsafe functions in Office XP Web Components

View products that this article applies to.
This article was previously published under Q328130

On This Page

Expand all | Collapse all

SUMMARY

The Microsoft Office Web Components contain several ActiveX controls that give users limited functionality of Microsoft Office in a Web browser without requiring that the user install the full Microsoft Office program. This functionality permits users to use Microsoft Office programs in situations where installation of the full program is infeasible or undesirable.

The control contains three security vulnerabilities, each of which might be exploited either by means of a Web site or HTML mail. The vulnerabilities result because of implementation errors in the following methods and functions the controls expose:
  • Host() - By design, this function provides the caller with access to program object models on the user's system. By using the Host() function, an attacker might, for example, open an Office program on the user's system and invoke commands there that would carry out operating system commands as the user.
  • LoadText() - This method permits a Web page to load text into a browser window. This method verifies that the source of the text is in the same domain as the window, and in theory restricts the page to only loading text that it hosts itself. However, it is possible to circumvent this restriction by specifying a text source located in the Web page's domain, and then by setting up a server-side redirect of that text to a file on the user's system. This would provide an attacker with a way to read any file that they want on the user's system.
  • Copy()/Paste() - These methods permit text to be copied and pasted. A security vulnerability results because the method does not respect the "disallow paste via script" security setting in Microsoft Internet Explorer. Therefore, even if this setting had been selected, a Web page might continue to access the copy buffer and read any text that the user had copied or deleted from other programs.
Back to the top

MORE INFORMATION

For more information about these vulnerabilities, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-044.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-044.mspx)
The "kill bit" is a method by which an ActiveX control can be prevented from ever being invoked by means Internet Explorer, even if it is present on the system. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
240797  (http://support.microsoft.com/kb/240797/EN-US/ ) How to Stop an ActiveX Control from Running in Internet Explorer
Typically, when a security vulnerability involves an ActiveX control, the patch delivers a new control and sets the "kill bit" on the vulnerable control. However, this patch does not set the "kill bit" because the ActiveX control involved in these vulnerabilities is used in Web pages produced by Office programs to access data. Many programs, which include third-party programs, contain hard-coded references to it; if the patch set the "kill bit", the Web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the "kill bit" on the old one.

Back to the top

Office XP

If you use Office XP, apply Office XP Service Pack 2 (SP-2) to resolve these vulnerabilities. In addition to addressing these issues, it includes many other important security and stability fixes. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
325671  (http://support.microsoft.com/kb/325671/ ) OFFXP: Overview of the Office XP Service Pack 2
NOTE: If you cannot apply Office XP SP-2 at this time, apply the updated version of Office Web Components.

Back to the top

Project 2002 Update

If you use Project 2002, apply the Project 2002 patch. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
328043  (http://support.microsoft.com/kb/328043/EN-US/ ) PRJ2002: Microsoft Project 2002 Update: August 20, 2002
NOTE: The Project 2002 patch is not included in Office XP SP-2. Therefore, if you use Office XP and Project 2002, apply the Project 2002 patch and Office XP SP-2.

Back to the top

Project Server 2002 Update

If you use Project Server 2002, apply the Project Server 2002 patch. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
328044  (http://support.microsoft.com/kb/328044/ ) Microsoft Project Server 2002 update: August 20, 2002
NOTE: The Project Server 2002 patch is not included in Office XP SP-2. Therefore, if you use Office XP and Project Server 2002, apply the Project Server 2002 patch and Office XP SP-2.

Back to the top

Office Web Components

If you use Office Web Components, apply the Office Web Components patch. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
322382  (http://support.microsoft.com/kb/322382/EN-US/ ) OFF: Office Web Components Security Update: August 20, 2002
Back to the top
APPLIES TO
  • Microsoft Office XP Web Components
  • Microsoft Office XP Professional Edition
  • Microsoft Office XP Standard Edition
  • Microsoft Project 2002 Professional Edition
  • Microsoft Project Server 2002
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
Back to the top
Keywords: 
kbproductlink kbfunctions kbhowto kbinfo kbofficexpsp2fix kbsecbulletin kbsecurity kbsecvulnerability KB328130
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations