- Cool Yule Tools: 2008 Holiday Gift Guide
- 10 kitchen gadgets for the geek gourmet
- Google admits to violating iPhone development terms
- Smartphone smackdown: Storm vs. iPhone
- Google layoffs: 10,000 jobs being cut
Microsoft Wednesday warned of several flaws in its ubiquitous Office products, the most serious of which could allow an attacker to take control of a user's computer.
Deemed "critical" is a flaw in Visual Basic for Applications (VBA), a technology that is part of Microsoft Office products and used to run customized applications on top of Office. A flaw exists in the way VBA checks the properties of a document when it is opened in an Office application, potentially allowing an attacker to run code on a victim's computer, Microsoft said in Security Bulletin MS03-037.
To exploit the flaw, an attacker would have to get a victim to open a specially-crafted document. This could be any document type that supports VBA, including Word, Excel or PowerPoint documents, Microsoft said. Also, if Word is used as the e-mail editor for Outlook, the default setting in Office XP/2002, an attacker could strike via e-mail. The attack would only be successful if the recipient forwards or replies to the e-mail message, Microsoft said.
The VBA flaw affects Access, Excel, PowerPoint and Word in Microsoft Office 97, 2000 and XP/2002 as well as Word 98, Project 2000 and 2002, Publisher 2002, Visio 2000 and 2002, Works Suite 2001, 2002 and 2003 plus several Microsoft Business Solutions products that also include VBA, Microsoft said.
Microsoft urges users of the affected products to patch at their earliest available opportunity. Users of more than one affected product may have to apply multiple software fixes, Microsoft said.
In addition to the VBA flaw, Microsoft also warned of three more security vulnerabilities in Office products, two carrying an "important" severity rating and one "moderate."
Rated important is a flaw in Word that could result in macros running automatically, instead of asking the user first or going by the level of macro security a user has set, Microsoft said in Security Bulletin MS03-035.
Macros are executable code meant to automate commonly-performed tasks and can perform any action a user can on a PC. An attacker could create a malicious document that automatically runs a macro when opened, Microsoft said.
The flaw affects Word versions 97, 98, 2000 and XP/2002 as well as the Works Suite versions 2001, 2002 and 2003, Microsoft said.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment