New Holes Discovered In Office 97 Apps
- By Scott Bekker
- January 21, 1999
Recently, two security vulnerabilities were discovered in Microsoft Word 97 and Microsoft Forms version 2.0 ActiveX Control, a Visual Basic for Applications (VBA) component of Office 97 and other VBA apps. The Redmond, Wash.-based company has been forthcoming in not only announcing the potential holes but patching them up.
Microsoft reports the vulnerabilities could be used by crackers to run malicious code on a user's machine without warning. The patch for the Word hole is on the company's Web site as is the one for Microsoft Forms.
Word 97 warns users when opening a document that contains macros, but Microsoft says that if that document does not contain macros but is linked to a template that does, no warning is issued. The company says a cracker could exploit this vulnerability by causing malicious code to be run without warning when a user opens a Word document attached to e-mail or on a Web-site. After installing Microsoft's patch, users will be warned before they launch a template that contains macros on templates.
A cracker could also use the Forms 2.0 Control to read or export text on a user's Clipboard when that user visits a Web site set up by the cracker or opens an HTML-based e-mail created by a cracker. The patch prevents a cracker from exploiting the identified vulnerability, while not losing functionality of the Forms 2.0 Control.
In early December, Microsoft discovered similar vulnerabilities in Excel 97 that allowed crackers to exploit a user's desktop through simple HTML. Just like now, Microsoft sent out mass e-mails, informed the Computer Emergency Response Team (CERT) and posted a patch on its Web site. -- Brian Ploskina, Assistant Editor
Scott Bekker is editor in chief of Redmond Channel Partner magazine.