-=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B...

• From: Foxhillers@xxxxxxx
• To: pctechtalk@xxxxxxxxxxxxx
• Date: Wed, 3 Sep 2003 19:41:32 EDT

Lionel
   I am running WIN98se with MSOffice97 Pro on three systems.  This patch 
does not show up on the UPDATE WIN98 list.  And, the following from the patch 
download page does not mention WIN98se.  How risky is it to install on a 
WIN98se 
do you think?
thanks
 mjh
Microsoft® Visual Basic® for Applications Update - Q822150

Versions 5.0 and 6.0

An identified security issue in Microsoft® Visual Basic® for Applications 
could allow an attacker to compromise a Microsoft Windows®-based system and 
then 
take a variety of actions. By installing this update, you can help protect 
your computer.

Quick Info  
File Name:  VBA64-KB822150-X86-ENU.exe  
Download Size:  1669 KB 
Date Published: 9/3/2003    
Version:    6.4 


Overview

An identified security issue in Microsoft® Visual Basic® for Applications 
could allow an attacker to compromise a Microsoft Windows®-based system and 
then 
take a variety of actions. For example, an attacker could read files on your 
computer or run programs on it. By installing this update, you can help protect 
your computer.      
                    
        Microsoft® Visual Basic® for Applications Update Installer: KB822150
English
<A 
HREF="http://download.microsoft.com/download/3/7/a/37a2f0bf-ec3f-463e-b8e7-0342b5ab0c08/VBA64-KB822150-X86-ENU.exe";>Download</A>
    
Change language
        
    Related Resources       
                    
        
<A HREF="http://msdn.microsoft.com/subscriptions/default.asp";>Subscribe to 
MSDN</A>
<A HREF="http://msdn.microsoft.com/vba/";>Visual Basic for Applications 
Developer Center</A>
<A HREF="http://office.microsoft.com/ProductUpdates/default.aspx";>Microsoft 
Office Update</A>
<A HREF="http://www.microsoft.com/security/";>Microsoft Security and Privacy</A> 
         
                    
        System Requirements


Supported Operating Systems: Windows 2000, Windows ME, Windows NT, Windows 
Server 2003, Windows XP
    


In a message dated 9/3/03 7:11:31 PM Eastern Daylight Time, 
percy10@xxxxxxxxxxxxxxx writes:
> 
> ----- Original Message -----
> From: "Microsoft"
> <0_51915_C8FF513D-EDB5-B44D-83E5-CF713652B20B_AU@xxxxxxxxxxxxxxxxxxxxxxxxx>
> To: <percy10@xxxxxxxxxxxxxxx>
> Sent: Thursday, September 04, 2003 7:20 AM
> Subject: Microsoft Security Bulletin MS03-037: Flaw in Visual Basic for
> Applications Could Allow Arbitrary Code Execution(822715)
> 
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > - ----------------------------------------------------------------------
> > Title:  Flaw in Visual Basic for Applications Could Allow
> > Arbitrary Code Execution (822715)
> > Date:   03 September 2003
> >
> > Affected Software:
> > Microsoft Visual Basic for Applications SDK 5.0
> >         Microsoft Visual Basic for Applications SDK 6.0
> > Microsoft Visual Basic for Applications SDK 6.2
> >         Microsoft Visual Basic for Applications SDK 6.3
> >
> > Products which include the affected software:
> > Microsoft Access 97
> > Microsoft Access 2000
> > Microsoft Access 2002
> > Microsoft Excel 97
> > Microsoft Excel 2000
> > Microsoft Excel 2002
> > Microsoft PowerPoint 97
> > Microsoft PowerPoint 2000
> > Microsoft PowerPoint 2002
> > Microsoft Project 2000
> > Microsoft Project 2002
> > Microsoft Publisher 2002
> > Microsoft Visio 2000
> > Microsoft Visio 2002
> > Microsoft Word 97
> > Microsoft Word 98(J)
> > Microsoft Word 2000
> > Microsoft Word 2002
> > Microsoft Works Suite 2001
> > Microsoft Works Suite 2002
> > Microsoft Works Suite 2003
> > Microsoft Business Solutions Great Plains 7.5
> > Microsoft Business Solutions Dynamics 6.0
> > Microsoft Business Solutions Dynamics 7.0
> > Microsoft Business Solutions eEnterprise 6.0
> > Microsoft Business Solutions eEnterprise 7.0
> > Microsoft Business Solutions Solomon 4.5
> > Microsoft Business Solutions Solomon 5.0
> > Microsoft Business Solutions Solomon 5.5
> >
> > Impact:     Run code of attackers choice
> > Max Risk:   Critical
> > Bulletin:   MS03-037
> >
> > Microsoft encourages customers to review the Security Bulletins
> > at:
> > http://www.microsoft.com/technet/security/bulletin/MS03-037.asp
> > http://www.microsoft.com/security/security_bulletins/ms03-037.asp
> > - ----------------------------------------------------------------------
> >
> > Issue:
> > ======
> > Microsoft VBA is a development technology for developing client
> > desktop packaged applications and integrating them with existing
> > data and systems. Microsoft VBA is based on the Microsoft Visual
> > Basic development system. Microsoft Office products include VBA
> > and make use of VBA to perform certain functions. VBA can also be
> > used to build customized applications based around an existing
> > host application.
> >
> > A flaw exists in the way VBA checks document properties passed to
> > it when a document is opened by the host application. A buffer
> > overrun exists which if exploited successfully could allow an
> > attacker to execute code of their choice in the context of the
> > logged on user.
> >
> > In order for an attack to be successful, a user would have to
> > open a specially crafted document sent to them by an attacker.
> > This document could be any type of document that supports VBA,
> > such as a Word document, Excel spreadsheet, PowerPoint
> > presentation. In the case where Microsoft Word is being used as
> > the HTML e-mail editor for Microsoft Outlook, this document could
> > be an e-mail, however the user would need to reply to, or forward
> > the mail message in order for the vulnerability to be exploited.
> >
> > Mitigating Factors:
> > ====================
> > - -The user must open a document sent to them by an attacker in
> > order for this vulnerability to be exploited.
> > - -When Microsoft Word is being used as the HTML e-mail editor in
> > Outlook, a user would need to reply to or forward a malicious e-
> > mail document sent to them in order for this vulnerability to be
> > exploited.
> > - -An attacker's code could only run with the same rights as the
> > logged on user. The specific privileges the attacker could gain
> > through this vulnerability would therefore depend on the
> > privileges granted to the user. Any limitations on a user's
> > account, such as those applied through Group Policies, would also
> > limit the actions of any arbitrary code executed by this
> > vulnerability.
> >
> > Risk Rating:
> > ============
> >  - Critical
> >
> > Patch Availability:
> > ===================
> >  - A patch is available to fix this vulnerability. Please read
> > the Security Bulletins at
> > http://www.microsoft.com/technet/security/bulletin/ms03-037.asp
> > http://www.microsoft.com/security/security_bulletins/ms03-037.asp
> > for information on obtaining this patch.
> >
> > Acknowledgment:
> > ===============
> >  - eEye Digital Security, http://www.eeye.com
> >
> >



MJH











To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/

For more info:
//www.freelists.org/cgi-bin/list?list_id=pctechtalk

• Follow-Ups:
  • -=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B...
    • From: cris
  • -=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B...
    • From: Lionel

Other related posts:

• » -=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B...
• » -=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B...
• » -=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B...
• » -=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B...

1. Home
2. pctechtalk
3. Archive
4. 09-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---