News

Microsoft Issues 5 Security Bulletins

As Microsoft prepares to formally launch the next version of Office, the company's security team issued four bulletins for security flaws in existing Microsoft Office programs. One of the flaws is a critical buffer overrun that exists in most versions of Office programs that could allow an attacker to take control of a user's computer. Also Wednesday, Microsoft released a patch for a low-priority flaw in Windows.

The most serious flaw is with Visual Basic for Applications, which is present in core Office programs like Access, Word, Excel and PowerPoint and affects the 97, 2000 and 2002 versions. Other Office programs at risk are Word 98, FrontPage 2000 and 2002, Publisher 2000 and 2002 and the Microsoft Works suites from 2001, 2002 and 2003. Several Microsoft Business Solutions products are also vulnerable.

A buffer overflow vulnerability is present as the Office programs open documents to check to see if Visual Basic for Applications is required. An attacker would exploit the vulnerability by sending a specially crafted document that carries exploit code that would be passed during that stage. The attacker would control the machine in the security context of the user.

Two of the new security bulletins fix problems rated important by Microsoft. One is a flaw in Microsoft Word 97, 98, 2000 and 2002 that could allow macros to run automatically. Another is a buffer overrun in the WordPerfect converter that could allow code execution. The WordPerfect converter vulnerability affects Microsoft Office 97, 2000 and XP as well as some individual Office programs and the Microsoft Works suites.

A moderate vulnerability was also disclosed Wednesday in the Microsoft Access Snapshot viewer. An unchecked buffer there could allow code execution.

The Windows-related vulnerability, rated a low-priority problem by Microsoft, is a flaw in NetBIOS that could allow information disclosure. The flaw exists in Windows NT 4.0 Server; Windows NT 4.0, Terminal Server Edition; Windows 2000; Windows XP; and Windows Server 2003.

To view the security bulletins and apply the patches, click on the following links:

  • Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution
    www.microsoft.com/technet/security/bulletin/MS03-037.asp.
  • Flaw in Microsoft Word Could Enable Macros to Run Automatically
    www.microsoft.com/technet/security/bulletin/MS03-035.asp.
  • Buffer Overrun in WordPerfect Converter Could Allow Code Execution
    www.microsoft.com/technet/security/bulletin/MS03-036.asp.
  • Flaw in NetBIOS Could Lead to Information Disclosure
    www.microsoft.com/technet/security/bulletin/MS03-034.asp.
  • Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution
    www.microsoft.com/technet/security/bulletin/MS03-038.asp.

  • About the Author

    Scott Bekker is editor in chief of Redmond Channel Partner magazine.

    Featured

    • Broadcom Revamps VMware Partner Program Again

      Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

    • Closeup of the new Copilot keyboard key

      Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

      Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

    • Windows 365 Cloud Apps Now Available for Public Preview

      Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.

    • Report: Security Initiatives Can't Keep Pace with Cloud, AI Boom

      The increasingly fast adoption of hybrid, multicloud, and AI systems is easily outgrowing existing security measures, according to a recent global survey by the Cloud Security Alliance (CSA) and exposure management firm Tenable.