|
|
TECH NEWS
 Vulnerability Threatens Microsoft Office Users
The vulnerability is related to a flaw in the Visual Basic for Applications (VBA) programming language that could let an attacker execute arbitrary code.
Microsoft has warned of a security problem in its Office software. The vulnerability is related to the Visual Basic for Applications (VBA) programming language, which lets you build applications that tie into Office applications such as Word or Access. The Flaw in VBA could let an attacker execute arbitrary code.
Microsoft rates the problem as critical and says customers using Office applications or VBA should apply a patch at the earliest available opportunity. You can get the patch at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-037.asp.
According to Microsoft, a flaw exists in the way VBA checks document properties passed to it when the host application opens a document. A buffer overrun exists that could allow an attacker to execute code in the context of the logged-on user.
For an attack to be successful, a user would have to open a specially crafted document sent to them by an attacker. This document could be any type that supports VBA, such as a Word document, Excel spreadsheet, or PowerPoint presentation.
If Word is being used as the HTML e-mail editor for Microsoft Outlook, the document could be an e-mail; however, the user would have to reply to or forward the message for the vulnerability to be exploited.
Other mitigating factors include:
- The user must open a document sent by an attacker in order for the vulnerability to be exploited.
- An attacker's code could only run with the same rights as the logged-on user. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges granted to the user. Any limitations on a user's account, such as those applied through Group Policies, would also limit the actions of any arbitrary code executed by this vulnerability.
Affected software
Versions 6.3, 6.2, 6.0, and 5.0 of the Microsoft Visual Basic for Applications Software Development Kit are affected.
Affected applications include Access 2002, 2000, and 97; Excel 2002, 2000, and 97; PowerPoint 2002 and 2000; Project 2002; Publisher 2002, Visio 2002 and 2000; and Word 2002, 2000, 98(J), and 97.
Versions 2003, 2002, and 2001 of Microsoft Works are also impacted, as are several Microsoft Business Solutions products, such as Great Plains, Dynamics, eEnterprise, and Solomon.
ARTICLE INFO
Web Edition: 2003.09.04, Doc #13002
 FREE ACCESS
Keyword Tags: Administration, collaboration, E-Mail, it administration, messaging, microsoft, microsoft access, microsoft office, microsoft outlook, microsoft powerpoint, microsoft visual basic, Microsoft, Microsoft Access, Microsoft Business Solutions Dynamics, Microsoft Business Solutions eEnterprise, Microsoft Business Solutions Great Plains, Microsoft Business Solutions Solomon, Microsoft Excel, Microsoft Office System, Microsoft Outlook, Microsoft PowerPoint, Microsoft Project, Microsoft Publisher, Microsoft Visio, Microsoft Visual Basic, Microsoft Word, security, Security, Software, System Management, tech admin, tech: management, tech: software, Technology Management, vba, VBA - Visual Basic for Applications
ADVISORAMA The public is wonderfully tolerant. It forgives everything except genius. -- Oscar Wilde |
|