Microsoft Issues 5 Security Bulletins

As Microsoft prepares to formally launch the next version of Office, the company's security team issued four bulletins for security flaws in existing Microsoft Office programs. One of the flaws is a critical buffer overrun that exists in most versions of Office programs that could allow an attacker to take control of a user's computer. Also Wednesday, Microsoft released a patch for a low-priority flaw in Windows.

The most serious flaw is with Visual Basic for Applications, which is present in core Office programs like Access, Word, Excel and PowerPoint and affects the 97, 2000 and 2002 versions. Other Office programs at risk are Word 98, FrontPage 2000 and 2002, Publisher 2000 and 2002 and the Microsoft Works suites from 2001, 2002 and 2003. Several Microsoft Business Solutions products are also vulnerable.

A buffer overflow vulnerability is present as the Office programs open documents to check to see if Visual Basic for Applications is required. An attacker would exploit the vulnerability by sending a specially crafted document that carries exploit code that would be passed during that stage. The attacker would control the machine in the security context of the user.

Two of the new security bulletins fix problems rated important by Microsoft. One is a flaw in Microsoft Word 97, 98, 2000 and 2002 that could allow macros to run automatically. Another is a buffer overrun in the WordPerfect converter that could allow code execution. The WordPerfect converter vulnerability affects Microsoft Office 97, 2000 and XP as well as some individual Office programs and the Microsoft Works suites.

A moderate vulnerability was also disclosed Wednesday in the Microsoft Access Snapshot viewer. An unchecked buffer there could allow code execution.

The Windows-related vulnerability, rated a low-priority problem by Microsoft, is a flaw in NetBIOS that could allow information disclosure. The flaw exists in Windows NT 4.0 Server; Windows NT 4.0, Terminal Server Edition; Windows 2000; Windows XP; and Windows Server 2003.

To view the security bulletins and apply the patches, click on the following links:

  • Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution
  • Flaw in Microsoft Word Could Enable Macros to Run Automatically
  • Buffer Overrun in WordPerfect Converter Could Allow Code Execution
  • Flaw in NetBIOS Could Lead to Information Disclosure
  • Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution

  • About the Author

    Scott Bekker is editor in chief of Redmond Channel Partner magazine.


    • Azure AD Enhancements Bring Expanded Support for Auto-Provisioned SaaS Apps

      Microsoft announced a number of Azure Active Directory enhancements this month.

    • What's Behind Microsoft's Sudden Teams Push?

      As Skype for Business slowly gets phased out and Slack's enterprise dominance becomes less of a sure thing, the time is right for Microsoft to focus its marketing energies on its upstart collaboration tool.

    • Microsoft Releases PowerShell 7 Preview 3

      Microsoft announced on Wednesday that the PowerShell 7 Preview 3 scripting solution is now available.

    • SQL Server 2019 Release Candidate Now Available

      Microsoft on Wednesday announced the release of SQL Server 2019 release candidate (RC).

    comments powered by Disqus

    Office 365 Watch

    Sign up for our newsletter.

    Terms and Privacy Policy consent

    I agree to this site's Privacy Policy.