VBA Flaw Leaves Office Users Vulnerable

Microsoft on Wednesday issued security alerts for five new vulnerabilities discovered in software products, including a “critical” flaw that affects some versions of the popular Office suite.

The vulnerability exists in the way Microsoft’s Visual Basic for
Applications checks document properties passed to it when a document is opened. “A buffer overrun exists which if exploited successfully could allow an attacker to execute code of their choice in the context of the logged on user,” Microsoft warned, urging users to immediately apply the appropriate patches.

The vulnerable VBA is a development technology for creating client
desktop packaged applications and integrating them with existing data and systems. It is based on the Microsoft’s Visual Basic development system and is used within Microsoft Office products.

The company warned that an attacker could craft a document supporting VBA and target susceptible applications. A successful attack could be launched within any type of document that supports VBA, including Microsoft Word, Excel or PowerPoint. “In the case where Microsoft Word is being used as the HTML e-mail editor for Microsoft Outlook, this document could be an e-mail, however the user would need to reply to, or forward the mail message in order for the vulnerability to be exploited,” the company said.

Affected software include Microsoft Visual Basic for Applications SDK 5.0 through 6.3. Microsoft products which include the vulnerable VBA include Word, Works, Access, Excel, Powerpoint, Project, Publisher, Visio, Business Solutions Great Plains, Business Solutions Dynamics, Business Solutions eEnterprise and Business Solutions Solomon.

The company also issued fixes for a flaw in Microsoft Word that could let an attacker bypass the macro security model and run macros without warning. The alert, which carries an ‘important’ rating, warned that an attacker could craft a malicious document to allow malicious macro embedded in the document to be executed automatically, regardless of the level at which macro security is set.

“The malicious macro could take the same actions that the user had
permissions to carry out, such as adding, changing or deleting data or
files, communicating with a web site or formatting the hard drive,” the company warned.

Another ‘important’ alert was issued for a buffer overrun vulnerability in WordPerfect Converter that affects users of Microsoft Office, FrontPage, Publisher and Works products.

“[The] vulnerability results because the converter does not correctly validate certain parameters when it opens a WordPerfect document, which results in an unchecked buffer. As a result, an attacker could craft a malicious WordPerfect document that could allow code of their choice to be executed if an application that used the WordPerfect converter opened the document,” Microsoft added.

The company also issued a separate patch for an unchecked buffer the Access Snapshot Viewer product that carries a ‘moderate’ rating.

A fifth alert was released with a ‘low’ rating for an information disclosure hole in NetBIOS. That vulnerability affects Windows NT 4.0 Server, Windows NT 4.0, Terminal Server Edition, Windows 2000, Windows XP and Microsoft Windows Server 2003.