Microsoft Word and Microsoft Excel provide a mechanism
through which data from one document can be inserted into, and updated in,
another document. This mechanism, known as
field codes in Word and
external updates in Excel, can be automated for the user's ease. For example, Word
field codes can be used to automatically insert a standard disclaimer paragraph
in a legal document. Excel external updates can be used to automatically update
a chart in one spreadsheet by using data in a different spreadsheet.
However, it is possible to maliciously use field codes and external updates to
secretly steal information from a user. Certain events can trigger the external
update and the field code to be updated: for example, when the user saves a
document or manually updates the links. Typically, the user is aware of these
updates when they occur. However, a specially crafted field code or external
update can be used to trigger an update without any indication to the user.
This can permit an attacker to create a document that, when opened, updates
itself to include the contents of a file from the user's local
computer.
For an attacker to take advantage of this vulnerability,
the attacker needs to:
- Create a Word or Excel document that exploits the
vulnerability.
- Deliver it to the user through e-mail or some other
method.
- Entice the user to open the document.
Then, the user must typically return the document to the
attacker for the attack to work successfully.
However, note that
Microsoft is aware of one case in which it is not even necessary for the user
to do this. By the method used in this case, the attacker's document can post
information directly to a Web site, although it permits only the first line of
the file to be sent.