Microsoft issues Office security warnings

Microsoft has warned of several flaws in its ubiquitous Office products, the most serious of which could allow an attacker to take control of a user's computer.

Deemed "critical" is a flaw in Visual Basic for Applications (VBA), a technology that is part of Microsoft Office products and used to run customised applications on top of Office. A flaw exists in the way VBA checks the properties of a document when it is opened in an Office application, potentially allowing an attacker to run code on a victim's computer, Microsoft said in security bulletin MS03-037.

To exploit the flaw, an attacker would have to get a victim to open a specially-crafted document. This could be any document type that supports VBA, including Word, Excel or PowerPoint documents, Microsoft said. Also, if Word is used as the email editor for Outlook, the default setting in Office XP/2002, an attacker could strike via email. The attack would only be successful if the recipient forwards or replies to the email message, Microsoft said.

The VBA flaw affects Access, Excel, PowerPoint and Word in Microsoft Office 97, 2000 and XP/2002 as well as Word 98, Project 2000 and 2002, Publisher 2002, Visio 2000 and 2002, Works Suite 2001, 2002 and 2003 plus several Microsoft Business Solutions products that also included VBA, Microsoft said.

Microsoft urged users of the affected products to patch at their earliest available opportunity.

Users of more than one affected product might have to apply multiple software fixes, MS said.

In addition to the VBA flaw, Microsoft also warned of three more security vulnerabilities in Office products, two carrying an "important" severity rating and one "moderate".

Rated important is a flaw in Word that could result in macros running automatically, instead of asking the user first or going by the level of macro security a user has set, Microsoft said in Security Bulletin MS03-035.

Macros are executable code meant to automate commonly-performed tasks and can perform any action a user can on a PC.

An attacker could create a malicious document that automatically runs a macro when opened, Microsoft said.

The flaw affects Word versions 97, 98, 2000 and XP/2002 as well as the Works Suite versions 2001, 2002 and 2003, Microsoft said.

Also important is a buffer overrun vulnerability in the WordPerfect Converter that is part of Office 97, 2000 and XP/2002 as well as Word 98, FrontPage 2000 and 2002, Publisher 2000 and 2002 and the Works Suite versions 2001, 2002 and 2003, Microsoft said in Security Bulletin MS03-036.

The converter does not correctly validate certain parameters when opening a WordPerfect document. As a result, an attacker could craft a special WordPerfect document that would allow code to run on a computer when opened with an application that uses the converter, Microsoft said.

The last of the four flaws that affect Office Wednesday is rated moderate and affects the Access Snapshot Viewer, a tool used to view Access databases without Access installed on a computer, Microsoft said in Security Bulletin MS03-038. Access Snapshot Viewer comes as part of all versions of Office, but is not installed by default.

It was also offered online so users who did not have Access could still view Access databases, Microsoft said.

The flaw lies in an ActiveX control used by the viewer.

To exploit the flaw, an attacker would have to lure a user to a Web page containing special code, Microsoft said.

The company has a four-tiered system for rating security issues. Vulnerabilities that could be exploited to allow malicious Internet worms to spread without user action are rated critical. Issues that are rated important could still expose user data or threaten system resources.

Vulnerabilities rated moderate are hard to exploit because of factors such as default configuration or auditing, or difficulty of exploitation, according to Microsoft.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?