IE, Powerpoint, Access, and Excel Allow Code Execution
Reported June 27 by
Georgi Guninski

VERSIONS EFFECTED
  • Internet Explorer 5.01
  • Powerpoint
  • Access 2000
  • Excel 2000

DESCRIPTION

Internet Explorer 5.01, Excel 2000 and PowerPoint under Windows 98, and perhaps other versions, allow the execution of programs when a user views a web page or HTML email message. The problem may allows an intruder to gain full control over the user"s computer.

The problems stems from functionality in IE that allows obtaining dangereous ActiveX objects with the help of the <OBJECT> tag and associated Office 2000 applications. For example, the following code loads a .xla file:

<object data="Book1.xla" id="sh1" width=0 height=0></object>

Book1.xla is simply a .xls file renamed to .xla. The same result may be achieved with a .ppt or .xls file, probably other Office 2000 file types. The result is having an object in IE that has a method SaveAs(). The SaveAs method may save the Excel Workbook (or Addin) or PowerPoint object in arbitrary location, including the Start Up folder. The content of the saved file is controllable and depends on the content of Book1.xla. If the saved file is for example a .hta file, it is possible to execute arbitrary programs on the user"s computer.

DEMONSTRATION

<object data="Book1.xla" id="sh1" width=0 height=0> </object> <SCRIPT> function f() \{ fn="C:\\georgi-xla.hta"; sh1.object.SaveAs(fn,6); //sh1.object.SaveAs("C:\\windows\\Start Menu\\Programs\\StartUp\\georgi-xla.hta",6); alert(fn+" sucessfully written"); \} setTimeout("f()",5000); </SCRIPT>

Demonstration is available at: http://www.nat.bg/~joro/sheetex.html

VENDOR RESPONSE

Microsoft is aware of this matter and however no response was known at the time of this writing.

To workaround the problem, disable Active Scripting or Disable Run ActiveX controls and plug-ins in your Internet Zone.

CREDITS
Discovered and reported by Georgi Guninski