Alert: “Critical” Flaw in Office, Other Microsoft Applications

Vulnerability in Microsoft applications occurs thanks to Visual Basic for Applications

Users of Microsoft applications beware: a flaw in Visual Basic could allow for arbitrary code execution. Microsoft warned in a bulletin rated “critical” that users of Microsoft Office applications or Microsoft Visual Basic for Applications are at risk and recommended they apply a patch immediately.

The risk: an attacker can send an e-mail to an end user with an attached document that exploits the flaw, and ends up giving the attacker the ability to execute any code he or she wants.

In addition, because Office XP makes Microsoft Word the default e-mail editor for Outlook, Outlook and Office XP users are at especial risk if they receive an “attack document,” then forward or reply to the e-mail, since the malicious code would automatically be opened in Word.

eEye Digital Security, which reported the flaw to Microsoft in May, also released instructions for a proof-of-concept Word document that illustrates the vulnerability (see http://www.eeye.com/html/Research/Advisories/AD20030903-2.html for details).

In a statement, eEye says that in the Office applications, the files VBE.dll and VBE6.dll—the Visual Basic Design Time Environment library—are vulnerable to a heap overflow. “If a malicious Office file such as .doc, .xls, etc. is opened, an attacker has the ability to execute arbitrary code.” Internet Explorer users are also at risk, since IE can automatically open certain files—for example, open a Word document inside the browser if a user clicks on the document included as a Web link.

Experts also warn that the “critical” severity warning by Microsoft is too little; users need beware, especially if they have automation functions enabled in Internet Explorer. Beyond that, users have a propensity to open unknown attachments that are in a recognizable format, such as a Word or Excel file. That would lead to a successful exploit on unpatched systems.

Affected software includes Microsoft Visual Basic for Applications SDK 5.0, 6.0, 6.2, and 6.3. In addition, a number of products include the affected software: Microsoft Access, Excel, PowerPoint, and Word (version 97 and above); Project 2000, 2002; Visio 2000, 2002; Microsoft Business Solutions Great Plains 7.5, Dynamics 6.0, 7.0, eEnterprise 6.0, 7.0; and Solomon 4.5, 5.0, and 5.5. Unfortunately, users will have to apply individual VBA patches to most of the applications individually (one notable exception is Office XP; the entire suite can be patched at once).

For more information about Microsoft Security Bulletin MS03-037, visit:http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-037.asp

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.