Multiple Vulnerabilities in Microsoft Excel, Office XP, and Word

Multiple vulnerabilities exist in Excel, Office XP, and Word for Windows, all of which enable an attacker to execute macro code on the vulnerable system.

Ken Pfeil

June 20, 2002

3 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported June 19, 2002, byMicrosoft.

VERSIONS AFFECTED

 

·        Microsoft Excel 2002 for Windows

·        Microsoft Excel 2000 for Windows

·        Microsoft Office XP for Windows

·        Microsoft Office 2000 for Windows

·        Microsoft Word 2002 for Windows

 

DESCRIPTION

Multiple vulnerabilities exist in Excel, Office XP,and Word for Windows, all of which enable an attacker to execute macro code onthe vulnerable system. These four newly discovered vulnerabilities are:

·        An Excel macro execution vulnerability that relates to howthe system handles inline macros associated with objects. This vulnerability canenable macros to execute and bypass the Macro Security Model when an affecteduser clicks an object in a workbook.

·        An Excel macro execution vulnerability that relates to howthe system handles macros in workbooks when a user opens those workbooks from ahyperlink on a drawing shape. It's possible for an attacker to automatically runworkbook macros so invoked.

·        An HTML script execution vulnerability that can occur whena user opens an Excel workbook with an XSL stylesheet containing HTML script. Anattacker can run the script within the XSL stylesheet in the local computerzone.

·        A new variant of the Word Mail Merge vulnerability firstaddressed in Security Bulletin MS00-071(Patch Available for "Word Mail Merge" Vulnerability). This newvariant lets an attacker's macro code run automatically if the affected user hasAccess on the system and chooses to open a mail-merge document that the user hadsaved in HTML format.

VENDOR RESPONSE

Thevendor, Microsoft, has released SecurityBulletin MS02-031(Cumulative Patches for Excel and Word for Windows) to address thisvulnerability and recommends that affected users download and apply theappropriate patch mentioned in the bulletin. These patches are cumulative andaddress all previously discovered vulnerabilities in the affected products.

 

CREDIT
Discoveredby the dH team, Darryl Higa, and SECURITY.NNOV.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like