[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Microsoft 'IE Script'/Access/OBJECT Tag Vulnerability

Title: Microsoft 'IE Script'/Access/OBJECT Tag Vulnerability
Released by: CERT
Date: 11th August 2000
Printable version: Click here


Hash: SHA1

CERT Advisory CA-2000-16 Microsoft 'IE Script'/Access/OBJECT Tag


   Original release date: August 11, 2000

   Last revised: --

   Source: CERT/CC


   A complete revision history is at the end of this file.


Systems Affected

     * Internet Explorer 4.x, 5.x

     * Microsoft Access 97 or 2000



   Under certain conditions, Internet Explorer can open Microsoft Access

   database or project files containing malicious code and execute the

   code without giving a user prior warning. Access files that are

   referenced by OBJECT tags in HTML documents can allow attackers to

   execute arbitrary commands using Visual Basic for Applications (VBA)

   or macros.


   A patch which protects against all known variants of attack exploiting

   this vulnerability is now available. A workaround which was previously

   suggested provided protection against one specific publicly-available

   exploit using .mdb files but did not protect against attack using many

   other Access file types. (See Appendix B for a complete list of file



I. Description

   Last month, a workaround for the "IE Script" vulnerability was

   addressed in Microsoft Security Bulletin MS00-049: Subsection

   "Workaround for 'The IE Script' Vulnerability." Microsoft has just

   re-released MS00-049, which now includes information about a patch for

   this vulnerability. The CERT Coordination Center is issuing this

   advisory to raise awareness in the Internet community about the need

   to apply this patch to protect IE users against all variants of

   attacks which can exploit this particular vulnerability.


Initial Findings

   Many of the initial public details about the vulnerability were

   discussed on the SecurityFocus Bugtraq mailing list, as well as in a

   SANS Flash Advisory:





   This vulnerability in IE can be used to open Access data or project

   files. (See Appendix B for a complete list of file types.) Visual

   Basic for Application (VBA) code embedded within these files will then

   execute. If a warning message appears (depending on the security

   settings in IE), it will only do so after the code has been run.


   Attackers exploit this vulnerability by placing OBJECT tags in HTML

   files posted on malicious Web sites or transmitted via email or via

   newsgroup postings. The OBJECT tag can look like


   Note, however, the file extension does not have to be .mdb; an

   attacker may use any of the ones listed in Appendix B.


   The Access file can then open before any warning messages are

   displayed, regardless of the default security settings in either IE or

   Access. Since Access files can contain VBA or macro code executed upon

   opening the file, arbitrary code can be run by a remote intruder on a

   victim machine without prior warning.


   While this is not an ActiveX issue per se, since all Microsoft Office

   documents are normally treated like ActiveX controls, by default

   Microsoft Access files are treated as unsafe for scripting within the

   IE Security Zone model. This vulnerability, however, can be used to

   reference an Access file and execute VBA or macro code even if

   scripting has been disabled in Internet Explorer.


Other Vulnerable OBJECT tag extensions

   In Microsoft Security Bulletin MS00-049, Microsoft initially provided

   a workaround for this vulnerability which involved setting the Admin

   password in MS Access. However, unlike with Access data files, setting

   the Admin password will not protect against exploits using project

   files (.ade, .adp). (See Appendix B.)


   Because Access project files rely on SQL backends to authenticate

   their requests, project files created without SQL content can bypass

   the default authentication for such requests in MS Access. For more

   information regarding Access project files, see




II. Impact

   A remote intruder can send malicious HTML via an email message,

   newsgroup posting, or downloaded Web page and may be able to execute

   arbitrary code on a victim machine.


III. Solution

Apply the patch provided by Microsoft

   Microsoft has released the following patch which addresses the "IE

   Script" vulnerability, as well as others:




   Please see MS00-055 "Patch Available for 'Scriptlet Rendering'

   Vulnerability" for additional information regarding other issues

   addressed by this patch:




   Note that the OBJECT tag issues addressed by MS00-049, MS00-055, and

   this advisory are separate from those addressed by the recently

   released MS00-056: "Patch Available for 'Microsoft Office HTML Object

   Tag' Vulnerability."


   Microsoft's initial workaround for this issue was for users to set the

   Admin password for Access. Since Access does not allow a user to

   disable VBA code embedded in Access data and project files, the CERT

   Coordination Center recommends that users follow the suggested

   workaround and set the Admin password even after the patch for this

   vulnerability has been applied.


   Appendix A contains information provided by vendors for this advisory.

   We will update the appendix as we receive more information. If you do

   not see your vendor's name, the CERT/CC did not hear from that vendor.

   Please contact your vendor directly.


Appendix A. Vendor Information

Microsoft Corporation

   Microsoft has published the following documents regarding this issue:






Appendix B. Additional Information

   The full list of OBJECT tag extensions which may be used to exploit

   this vulnerability is listed below:

     * .adp - Microsoft Access project file

     * .ade - ADP file with all modules compiled and all editable source

              code removed

     * .mdb - Microsoft Access database file

     * .mde - MDB file with all modules compiled and all editable source

              code removed

     * .mda - Microsoft Access VBA add-in

     * .mdw - Microsoft Access workgroup information file synonym for

              the system database used to store group and user account

              names and the passwords used to authenticate users when

              they log on to an Access database or MDE file secured

              with user-level security


   The patch provided by Microsoft addresses all the file extensions

   identified above.


   Please consult the following resources for further information

   regarding the other file types involved in exploited this


     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adefile

     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adpfile

     * http://msdn.microsoft.com/library/officedev/off2000/defAddIn.htm

     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdbfile

     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdefile

     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#workgroupinformationfile



       The CERT Coordination Center thanks Timothy Mullen, Alan Paller

       and the SANS Research Office, and the Microsoft Security Response

       Center for their help in developing this advisory.



       Author: Jeffrey S. Havrilla



       This document is available from:




CERT/CC Contact Information


       Email: cert@cert.org

                Phone: +1 412-268-7090 (24-hour hotline)

                Fax: +1 412-268-6989

                Postal address:

                CERT Coordination Center

                Software Engineering Institute

                Carnegie Mellon University

                Pittsburgh PA 15213-3890



       CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /

       EDT(GMT-4) Monday through Friday; they are on call for emergencies

       during other hours, on U.S. holidays, and on weekends.

Using encryption

       We strongly urge you to encrypt sensitive information sent by

       email. Our public PGP key is available from




       If you prefer to use DES, please call the CERT hotline for more



Getting security information

       CERT publications and other security information are available

       from our web site




       To be added to our mailing list for advisories and bulletins,

       send email to cert-advisory-request@cert.org and include

       SUBSCRIBE your-email-address in the subject of your message.


 * "CERT" and "CERT Coordination Center" are registered in the U.S.

   Patent and Trademark Office.




   Any material furnished by Carnegie Mellon University and the Software

   Engineering Institute is furnished on an "as is" basis. Carnegie

   Mellon University makes no warranties of any kind, either expressed or

   implied as to any matter including, but not limited to, warranty of

   fitness for a particular purpose or merchantability, exclusivity or

   results obtained from use of the material. Carnegie Mellon University

   does not make any warranty of any kind with respect to freedom from

   patent, trademark, or copyright infringement.



   Conditions for use, disclaimers, and sponsorship information


   Copyright 2000 Carnegie Mellon University.


   Revision History

   August 11, 2000:  Initial release


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.