Multiple Vulnerabilities in Microsoft Excel, Office XP, and Word

Multiple vulnerabilities exist in Excel, Office XP, and Word for Windows, all of which enable an attacker to execute macro code on the vulnerable system.

Ken Pfeil

June 20, 2002

3 Min Read
ITPro Today logo

Reported June 19, 2002, byMicrosoft.

VERSIONS AFFECTED

 

·        Microsoft Excel 2002 for Windows

·        Microsoft Excel 2000 for Windows

·        Microsoft Office XP for Windows

·        Microsoft Office 2000 for Windows

·        Microsoft Word 2002 for Windows

 

DESCRIPTION

Multiple vulnerabilities exist in Excel, Office XP,and Word for Windows, all of which enable an attacker to execute macro code onthe vulnerable system. These four newly discovered vulnerabilities are:

·        An Excel macro execution vulnerability that relates to howthe system handles inline macros associated with objects. This vulnerability canenable macros to execute and bypass the Macro Security Model when an affecteduser clicks an object in a workbook.

·        An Excel macro execution vulnerability that relates to howthe system handles macros in workbooks when a user opens those workbooks from ahyperlink on a drawing shape. It's possible for an attacker to automatically runworkbook macros so invoked.

·        An HTML script execution vulnerability that can occur whena user opens an Excel workbook with an XSL stylesheet containing HTML script. Anattacker can run the script within the XSL stylesheet in the local computerzone.

·        A new variant of the Word Mail Merge vulnerability firstaddressed in Security Bulletin MS00-071(Patch Available for "Word Mail Merge" Vulnerability). This newvariant lets an attacker's macro code run automatically if the affected user hasAccess on the system and chooses to open a mail-merge document that the user hadsaved in HTML format.

VENDOR RESPONSE

Thevendor, Microsoft, has released SecurityBulletin MS02-031(Cumulative Patches for Excel and Word for Windows) to address thisvulnerability and recommends that affected users download and apply theappropriate patch mentioned in the bulletin. These patches are cumulative andaddress all previously discovered vulnerabilities in the affected products.

 

CREDIT
Discoveredby the dH team, Darryl Higa, and SECURITY.NNOV.

Read more about:

Microsoft

About the Author(s)

Ken Pfeil

Ken Pfeil

See more from Ken Pfeil
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

cybersecurity operator or hacker works with data in dark room
IT Security
Master AI Cybersecurity: Protect and Enhance Your NetworkMaster AI Cybersecurity: Protect and Enhance Your Network
byBrien Posey
May 21, 2024
5 Min Read
business person stamping a document
IT Operations
How to Get Executive Buy-In for IT ProjectsHow to Get Executive Buy-In for IT Projects
byChristopher Tozzi
May 28, 2024
6 Min Read
yellow block stuck in between blue cog wheels
PowerShell
Using ChatGPT as a PowerShell Debugging ToolUsing ChatGPT as a PowerShell Debugging Tool
byBrien Posey
Jun 4, 2024
4 Min Read