Microsoft Issues 5 Security Bulletins

As Microsoft prepares to formally launch the next version of Office, the company's security team issued four bulletins for security flaws in existing Microsoft Office programs. One of the flaws is a critical buffer overrun that exists in most versions of Office programs that could allow an attacker to take control of a user's computer. Also Wednesday, Microsoft released a patch for a low-priority flaw in Windows.

The most serious flaw is with Visual Basic for Applications, which is present in core Office programs like Access, Word, Excel and PowerPoint and affects the 97, 2000 and 2002 versions. Other Office programs at risk are Word 98, FrontPage 2000 and 2002, Publisher 2000 and 2002 and the Microsoft Works suites from 2001, 2002 and 2003. Several Microsoft Business Solutions products are also vulnerable.

A buffer overflow vulnerability is present as the Office programs open documents to check to see if Visual Basic for Applications is required. An attacker would exploit the vulnerability by sending a specially crafted document that carries exploit code that would be passed during that stage. The attacker would control the machine in the security context of the user.

Two of the new security bulletins fix problems rated important by Microsoft. One is a flaw in Microsoft Word 97, 98, 2000 and 2002 that could allow macros to run automatically. Another is a buffer overrun in the WordPerfect converter that could allow code execution. The WordPerfect converter vulnerability affects Microsoft Office 97, 2000 and XP as well as some individual Office programs and the Microsoft Works suites.

A moderate vulnerability was also disclosed Wednesday in the Microsoft Access Snapshot viewer. An unchecked buffer there could allow code execution.

The Windows-related vulnerability, rated a low-priority problem by Microsoft, is a flaw in NetBIOS that could allow information disclosure. The flaw exists in Windows NT 4.0 Server; Windows NT 4.0, Terminal Server Edition; Windows 2000; Windows XP; and Windows Server 2003.

To view the security bulletins and apply the patches, click on the following links:

  • Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution
  • Flaw in Microsoft Word Could Enable Macros to Run Automatically
  • Buffer Overrun in WordPerfect Converter Could Allow Code Execution
  • Flaw in NetBIOS Could Lead to Information Disclosure
  • Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution

  • About the Author

    Scott Bekker is editor in chief of Redmond Channel Partner magazine.


    • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

      Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

    • Microsoft Nudging Skype for Business Users to Teams

      Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

    • How To Improve Windows 10's Sound and Video Quality

      Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

    • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

      Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

    comments powered by Disqus