Word Mail Merge Vulnerability
A security vulnerability exists in Microsoft® Word 2000 and 97 which could allow a malicious user to run arbitrary code on a victim's computer without their approval.
Issue
If an Access database is specified as a data source via DDE in a Word mail merge document, macro code can run without the user's approval when the user opens that document.
If a user could be enticed into opening a specially constructed mail merge Word document, which was provided either as an e-mail attachment or as a link hosted on a hostile web site, it would be possible to cause arbitrary code to run on the user's machine. For such an attack to succeed, the victim would also need the ability to reach the Access database via a UNC share or file:// protocol. If the user is behind a firewall and security best practices have been followed, the ports required to access the database would be blocked.
Affected Products
- Microsoft Word 97 & 2000
Solution
A software patch is available from the following locations:
- Microsoft Word 2000:
http://officeupdate.microsoft.com/2000/downloadDetails/wrdacc.htm - Microsoft Word 97:
http://officeupdate.microsoft.com/downloadDetails/wrdac97.htm
Further Details
Source: Microsoft Corporation
Reference: Microsoft Corporation
Updated: October 5, 2000
>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<
 |
 |
|
More Guides » | Registry Guide | Support Forums | Software Guide | Scripting Guide | Search |  | |
