Flaw in Microsoft Word Could Enable Macros New

A flaw in Microsoft Word 97, 98, 2000, 2002 and Microsoft Works 2001, 2002, 2003 could allow documents to run macros automatically bypassing the normal security restrictions.

Issue

A macro is a series of commands and instructions that can be grouped together as a single command to accomplish a task automatically. Microsoft Word supports the use of macros to allow the automation of commonly performed tasks. Since macros are executable code it is possible to misuse them, so Microsoft Word has a security model designed to validate whether a macro should be allowed to execute depending on the level of macro security the user has chosen.

A vulnerability exists because it is possible for an attacker to craft a malicious document that will bypass the macro security model. If the document was opened, this flaw could allow a malicious macro embedded in the document to be executed automatically, regardless of the level at which macro security is set. The malicious macro could take the same actions that the user had permissions to carry out, such as adding, changing or deleting data or files, communicating with a web site or formatting the hard drive.

The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious document –there is no way for an attacker to force a malicious document to be opened.

Affected Products

• Microsoft Word 97
• Microsoft Word 98 (J)
• Microsoft Word 2000
• Microsoft Word 2002
• Microsoft Works Suite 2001
• Microsoft Works Suite 2002
• Microsoft Works Suite 2003

Download

Patch: http://www.office.microsoft.com/ProductUpdates/default.aspx

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: September 3, 2003

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<