News

New Holes Discovered In Office 97 Apps

Recently, two security vulnerabilities were discovered in Microsoft Word 97 and Microsoft Forms version 2.0 ActiveX Control, a Visual Basic for Applications (VBA) component of Office 97 and other VBA apps. The Redmond, Wash.-based company has been forthcoming in not only announcing the potential holes but patching them up.

Microsoft reports the vulnerabilities could be used by crackers to run malicious code on a user's machine without warning. The patch for the Word hole is on the company's Web site as is the one for Microsoft Forms.

Word 97 warns users when opening a document that contains macros, but Microsoft says that if that document does not contain macros but is linked to a template that does, no warning is issued. The company says a cracker could exploit this vulnerability by causing malicious code to be run without warning when a user opens a Word document attached to e-mail or on a Web-site. After installing Microsoft's patch, users will be warned before they launch a template that contains macros on templates.

A cracker could also use the Forms 2.0 Control to read or export text on a user's Clipboard when that user visits a Web site set up by the cracker or opens an HTML-based e-mail created by a cracker. The patch prevents a cracker from exploiting the identified vulnerability, while not losing functionality of the Forms 2.0 Control.

In early December, Microsoft discovered similar vulnerabilities in Excel 97 that allowed crackers to exploit a user's desktop through simple HTML. Just like now, Microsoft sent out mass e-mails, informed the Computer Emergency Response Team (CERT) and posted a patch on its Web site. -- Brian Ploskina, Assistant Editor

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • Microsoft Adds Data Loss Prevention Alerts to Compliance Toolbox

    The latest part of Microsoft's overall compliance tooling is its Data Loss Prevention Alerts Dashboard, now generally available.

  • 2021 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft Releases 'Staged Rollout' for Hybrid Active Directory

    Microsoft recently announced the general availability of a "staged rollout" feature in Azure Active Directory designed for organizations with "hybrid" environments.