News

Microsoft Issues 5 Security Bulletins

As Microsoft prepares to formally launch the next version of Office, the company's security team issued four bulletins for security flaws in existing Microsoft Office programs. One of the flaws is a critical buffer overrun that exists in most versions of Office programs that could allow an attacker to take control of a user's computer. Also Wednesday, Microsoft released a patch for a low-priority flaw in Windows.

The most serious flaw is with Visual Basic for Applications, which is present in core Office programs like Access, Word, Excel and PowerPoint and affects the 97, 2000 and 2002 versions. Other Office programs at risk are Word 98, FrontPage 2000 and 2002, Publisher 2000 and 2002 and the Microsoft Works suites from 2001, 2002 and 2003. Several Microsoft Business Solutions products are also vulnerable.

A buffer overflow vulnerability is present as the Office programs open documents to check to see if Visual Basic for Applications is required. An attacker would exploit the vulnerability by sending a specially crafted document that carries exploit code that would be passed during that stage. The attacker would control the machine in the security context of the user.

Two of the new security bulletins fix problems rated important by Microsoft. One is a flaw in Microsoft Word 97, 98, 2000 and 2002 that could allow macros to run automatically. Another is a buffer overrun in the WordPerfect converter that could allow code execution. The WordPerfect converter vulnerability affects Microsoft Office 97, 2000 and XP as well as some individual Office programs and the Microsoft Works suites.

A moderate vulnerability was also disclosed Wednesday in the Microsoft Access Snapshot viewer. An unchecked buffer there could allow code execution.

The Windows-related vulnerability, rated a low-priority problem by Microsoft, is a flaw in NetBIOS that could allow information disclosure. The flaw exists in Windows NT 4.0 Server; Windows NT 4.0, Terminal Server Edition; Windows 2000; Windows XP; and Windows Server 2003.

To view the security bulletins and apply the patches, click on the following links:

  • Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution
    www.microsoft.com/technet/security/bulletin/MS03-037.asp.
  • Flaw in Microsoft Word Could Enable Macros to Run Automatically
    www.microsoft.com/technet/security/bulletin/MS03-035.asp.
  • Buffer Overrun in WordPerfect Converter Could Allow Code Execution
    www.microsoft.com/technet/security/bulletin/MS03-036.asp.
  • Flaw in NetBIOS Could Lead to Information Disclosure
    www.microsoft.com/technet/security/bulletin/MS03-034.asp.
  • Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution
    www.microsoft.com/technet/security/bulletin/MS03-038.asp.

  • About the Author

    Scott Bekker is editor in chief of Redmond Channel Partner magazine.