Office Users At Risk From 'Critical' Flaw

Published by

Microsoft issued another flock of security alerts Wednesday, including notice of a "critical" flaw that affects many of its Office applications. The most serious flaw, in the Visual Basic for Applications (VBA) software, could allow an attacker to gain control of a vulnerable PC. VBA is used to develop desktop applications that tie into other Microsoft products. As detailed in Microsoft's security bulletin, a malicious user could create a document with a VBA application that's designed to overflow the buffer--the chunk of memory that's allocated to a program--and then run other code. The flaw affects recent versions of Office applications that support VBA scripting, including the 2002, 2000 and 97 versions of Access, Excel, PowerPoint and Word. It can also be used with Project 2002 and 2000, Visio 2002 and 2000 and Works Suite 2002, 2001 and 2000. Several applications sold under Microsoft's Business Solutions brand also are at risk, including version 7.5 of the Great Plains accounting software. In most cases, a person would have to receive and open a maliciously crafted document to trigger an attack. If Microsoft's Outlook e-mail client is set up to use Word as the default program for editing HTML Web code, however, the vulnerability could be exploited by responding to or forwarding a message with a malicious attachment. Microsoft representatives urged customers to apply the proper patches as detailed in the security bulletin and at the Office Update site.