Link: Top companies blasted by worm virus
The company said the buffer overflow issue in the Visual Basic for Applications technology included in versions of Office creates a backdoor that could allow hackers to compromise a Windows system, read files and run programs on it.
‘A flaw exists in the way VBA checks document properties passed to it when a document is opened by the host application. A buffer overrun exists which if exploited successfully could allow an attacker to execute code of their choice in the context of the logged on user,’ stated Microsoft.
In order for an attack to be successful, a user would have to open a specially crafted document sent to them by an attacker: ‘This document could be any type of document that supports VBA, such as a Word document, Excel spreadsheet, PowerPoint presentation,’ said the company.
Where Microsoft Word is being used as the HTML email editor for Outlook, a document could be an email, but the user would have to reply to, or forward the mail message for the vulnerability to be exploited.
VBA is used for developing client desktop packaged applications and integrating them with existing data and systems.
Based on the Microsoft Visual Basic development system, it is used in Microsoft Office products, which make use of VBA to perform core functions.
VBA can also be used to build customised applications based around an existing host application.
Microsoft issued the following patch which can be found form this link: http://www.microsoft.com/security/security_bulletins/ms03-037.asp
Microsoft products affected by the bug include:
- Visual Basic for Applications SDK 5.0, 6.0, 6.2, and 6.3
- Office 97, 2000, and XP
- Word 98 (J)
- Visio 2000 and 2002
- Project 2000 and 2002
- Publisher 2002
- Works Suite 2001, 2002, and 2003
- Business Solutions Great Plains 7.5
- Business Solutions Dynamics 6.0 and 7.0
- Business Solutions eEnterprise 6.0 and 7.0
- Business Solutions Solomon 4.5, 5.0, and 5.5