News

Microsoft issues 'critical' Office security warning

Microsoft has warned of several flaws in its Office products, the most serious of which could allow an attacker to take control of a user's computer.

It has uncovered a "critical" flaw in Visual Basic for Applications (VBA), a technology that is part of Microsoft Office products and is used to run customised applications on top of Office.

A flaw exists in the way VBA checks the properties of a document when it is opened in an Office application, potentially allowing an attacker to run code on a victim's computer, Microsoft said in security bulletin MS03-037.

To exploit the flaw, an attacker would have to get a victim to open a specially crafted document. This could be any document type that supports VBA, including Word, Excel or PowerPoint documents, Microsoft said.

In addition, if Word is used as the e-mail editor for Outlook, which is the default setting in Office XP/2002, an attacker could strike via e-mail.

The attack would only be successful if the recipient forwards or replies to the e-mail message, Microsoft said.

The VBA flaw affects Access, Excel, PowerPoint and Word in Microsoft Office 97, 2000 and XP/2002 as well as Word 98, Project 2000 and 2002, Publisher 2002, Visio 2000 and 2002, Works Suite 2001, 2002 and 2003 plus several Microsoft Business Solutions products that also include VBA.

Microsoft urged users of the affected products to patch at their earliest available opportunity. Users of more than one affected product may have to apply multiple software fixes.

In addition to the VBA flaw, Microsoft also warned of three more security vulnerabilities in Office products, two carrying an "important" severity rating and one "moderate".

These are listed in:

Joris Evers writes for IDG News Service


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy