Microsoft Word Mail混合代码执行HTML文件变量漏洞发布时间:2002-06-22 更新时间:2002-06-22 严重程度:高 威胁程度:权限提升 错误类型:设计错误 利用方式:客户机模式 BUGTRAQ ID:5066 CVE(CAN) ID:CAN-2002-0619 受影响系统 Microsoft Office 2000详细描述 Microsoft Word 在邮件合并操作中接收ACCESS数据作为数据源,指定数据库的VBA组件也会如果设置为启动时候执行的形式也会被读和执行,包含在VBA命令就能运行任意系统命令。指定数据库必须在目标用户的本地或者网络驱动盘上或者可访问UNC共享中。 HTML文件必须通过目标用户打开,用户可以通过WEB,EMAIL,FTP提交给目标用户。 此问题最先类似发现在Microsoft Security Bulletin MS00-071,不过此漏洞不同之处只是恶意文件必须存储为HTML格式。 测试代码 无 解决方案 补丁下载: http://office.microsoft.com/productupdates/default.aspx Microsoft Excel 2000 SR1: Microsoft Patch exc0901.exe http://download.microsoft.com/download/excel2000/exc0901/6-19-2002/win98mexp/en-us/exc0901.exe Excel 2000 Update: June 19, 2002 Microsoft Patch exc0901a.exe http://download.microsoft.com/download/Excel2000/Patch/exc0901/W982KMeXP/EN-US/exc0901a.exe Excel 2000 Update: June 19, 2002 - Administrative version Microsoft Excel 2000 SP2: Microsoft Patch exc0901.exe http://download.microsoft.com/download/excel2000/exc0901/6-19-2002/win98mexp/en-us/exc0901.exe Excel 2000 Update: June 19, 2002 Microsoft Patch exc0901a.exe http://download.microsoft.com/download/Excel2000/Patch/exc0901/W982KMeXP/EN-US/exc0901a.exe Excel 2000 Update: June 19, 2002 - Administrative version Microsoft Excel 2002 SP1: Microsoft Patch exc1002.exe http://download.microsoft.com/download/Excel2002/exc1002/6-19-2002/WIN98MeXP/EN-US/exc1002.exe Excel 2002 Update: June 19, 2002 Microsoft Patch exc1002a.exe http://download.microsoft.com/download/Excel2002/Patch/exc1002/W982KMeXP/EN-US/exc1002a.exe Excel 2002 Update: June 19, 2002 - Administrative version Microsoft Excel 2000 : Microsoft Patch exc0901.exe http://download.microsoft.com/download/excel2000/exc0901/6-19-2002/win98mexp/en-us/exc0901.exe Excel 2000 Update: June 19, 2002 Microsoft Patch exc0901a.exe http://download.microsoft.com/download/Excel2000/Patch/exc0901/W982KMeXP/EN-US/exc0901a.exe Excel 2000 Update: June 19, 2002 - Administrative version Microsoft Office 2000 : Microsoft Office XP : Microsoft Excel 2002 : Microsoft Patch exc1002.exe http://download.microsoft.com/download/Excel2002/exc1002/6-19-2002/WIN98MeXP/EN-US/exc1002.exe Excel 2002 Update: June 19, 2002 Microsoft Patch exc1002a.exe http://download.microsoft.com/download/Excel2002/Patch/exc1002/W982KMeXP/EN-US/exc1002a.exe Excel 2002 Update: June 19, 2002 - Administrative version 相关信息 参考:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-031.asp 相关主页:http://office.microsoft.com/productupdates/default.aspx |
