PGP SIGNED MESSAGE-----
CA-2001-28 Automatic Execution of Macros
release date: October 08, 2001
Last revised: -- Source: CERT/CC
revision history can be found at the end of this file.
+ Microsoft Excel 2000
+ Microsoft Excel 2002
+ Microsoft PowerPoint 2000
+ Microsoft PowerPoint 2002
+ Microsoft Excel 98
+ Microsoft Excel 2001
+ Microsoft PowerPoint 98
+ Microsoft PowerPoint 2001
can include a specially crafted macro in a Microsoft
Excel or PowerPoint document that can avoid detection and run
automatically regardless of the security settings specified by the
Excel and PowerPoint scan documents when they are opened
and check for the existence of macros. If the document contains
macros, the user running Excel or PowerPoint is alerted and asked
if he would like the macros to be run. However, Microsoft Excel and
PowerPoint may not detect malformed macros, so a user can
unknowingly run macros containing malicious code when opening an
Excel or PowerPoint document.
who can entice or deceive a victim into opening a
document using a vulnerable version of Excel or PowerPoint could
take any action the victim could take, including, but not limited
deleting, or modifying data, either locally or on open
* modifying security settings (including macro virus protection
* sending electronic mail
* posting data to or retrieving data from web sites
information, please see
the strong potential for widespread abuse of this
vulnerability, we strongly recommend that you apply patches as soon
as you are able. For example, the Melissa virus which spread in
March of 1999 used social engineering to convince victims to
execute a macro embedded in a Microsoft Word document. For more
information, see the CERT/CC Advisory listed below.
As a general
practice, everyone should be aware of the potential
damage that Trojan horses and other kinds of malicious code can
cause to any platform. For more information, see
has been assigned the identifier CAN-2001-0718
by the Common Vulnerabilities and Exposures (CVE) group:
can execute arbitrary code on the target system with
the privileges of the victim running Excel or PowerPoint.
A contains information from vendors who have provided
information for this advisory. We will update the appendix as we
receive more information. If a vendor's name does not appear, then
the CERT/CC did not hear from that vendor. Please contact your
a patch can be applied, and as a general practice, we
recommend using caution when opening attachments. However, it is
important to note that relying on the "From" line in an electronic
mail message is not sufficient to authenticate the origin of the
A. - Vendor Information
contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision
history. If a particular vendor is not listed below, we have not
received their comments.
Security Bulletin MS01-050
B. - References
Coordination Center thanks Peter Ferrie and Symantec
Security Response, who discovered this vulnerability and published
the information in their advisory. Additionally, we thank
Microsoft Corporation, who published an advisory on this issue.
Ian A. Finlay and Shawn V. Hernan.
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to firstname.lastname@example.org. Please include in the body of
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of
any kind with respect to freedom from patent, trademark, or
for use, disclaimers, and sponsorship information
2001 Carnegie Mellon University.
October 8, 2001: initial release
Version: PGP 6.5.8
-----END PGP SIGNATURE-----