-=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B... :VSMail mx3
- From: James LaBorde <jlaborde@xxxxxxxxx>
- To: "'pctechtalk@xxxxxxxxxxxxx'" <pctechtalk@xxxxxxxxxxxxx>
- Date: Thu, 4 Sep 2003 09:59:41 -0700
MJH,
If you are running Office97 this vulnerability applies to you as well. =
Go
to the online version of the security bulletin (the link is in the =
email)
and you will find a link to follow for the path to your particular =
version.
Also you may want to note that Office Update does not support Office 97 =
for
this update according to the bulletin.
James
-----Original Message-----
From: Foxhillers@xxxxxxx [mailto:Foxhillers@xxxxxxx]
Sent: Wednesday, September 03, 2003 4:42 PM
To: pctechtalk@xxxxxxxxxxxxx
Subject: -=3DPCTechTalk=3D- Re: Fw: Microsoft Security Bulletin =
MS03-037:
Flaw in Visual B... :VSMail mx3
Lionel
I am running WIN98se with MSOffice97 Pro on three systems. This =
patch=20
does not show up on the UPDATE WIN98 list. And, the following from the
patch=20
download page does not mention WIN98se. How risky is it to install on =
a
WIN98se=20
do you think?
thanks
mjh
Microsoft=AE Visual Basic=AE for Applications Update - Q822150
Versions 5.0 and 6.0
An identified security issue in Microsoft=AE Visual Basic=AE for =
Applications=20
could allow an attacker to compromise a Microsoft Windows=AE-based =
system and
then=20
take a variety of actions. By installing this update, you can help =
protect=20
your computer.
Quick Info =20
File Name: VBA64-KB822150-X86-ENU.exe =20
Download Size: 1669 KB=20
Date Published: 9/3/2003 =20
Version: 6.4=20
Overview
An identified security issue in Microsoft=AE Visual Basic=AE for =
Applications=20
could allow an attacker to compromise a Microsoft Windows=AE-based =
system and
then=20
take a variety of actions. For example, an attacker could read files on =
your
computer or run programs on it. By installing this update, you can help
protect=20
your computer. =20
=20
Microsoft=AE Visual Basic=AE for Applications Update Installer: =
KB822150
English
<A
HREF=3D"http://download.microsoft.com/download/3/7/a/37a2f0bf-ec3f-463e-=
b8e7-0
342b5ab0c08/VBA64-KB822150-X86-ENU.exe">Download</A> =20
Change language
=20
Related Resources =20
=20
=20
<A =
HREF=3D"http://msdn.microsoft.com/subscriptions/default.asp";>Subscribe =
to
MSDN</A>
<A HREF=3D"http://msdn.microsoft.com/vba/";>Visual Basic for =
Applications
Developer Center</A>
<A =
HREF=3D"http://office.microsoft.com/ProductUpdates/default.aspx";>Microso=
ft
Office Update</A>
<A HREF=3D"http://www.microsoft.com/security/";>Microsoft Security and
Privacy</A> =20
=20
System Requirements
Supported Operating Systems: Windows 2000, Windows ME, Windows NT, =
Windows=20
Server 2003, Windows XP
=20
In a message dated 9/3/03 7:11:31 PM Eastern Daylight Time,=20
percy10@xxxxxxxxxxxxxxx writes:
>=20
> ----- Original Message -----
> From: "Microsoft"
>
<0_51915_C8FF513D-EDB5-B44D-83E5-CF713652B20B_AU@xxxxxxxxxxxxxxxxxxxxxxx=
om>
> To: <percy10@xxxxxxxxxxxxxxx>
> Sent: Thursday, September 04, 2003 7:20 AM
> Subject: Microsoft Security Bulletin MS03-037: Flaw in Visual Basic =
for
> Applications Could Allow Arbitrary Code Execution(822715)
>=20
>=20
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > - =
----------------------------------------------------------------------
> > Title: Flaw in Visual Basic for Applications Could Allow
> > Arbitrary Code Execution (822715)
> > Date: 03 September 2003
> >
> > Affected Software:
> > Microsoft Visual Basic for Applications SDK 5.0
> > Microsoft Visual Basic for Applications SDK 6.0
> > Microsoft Visual Basic for Applications SDK 6.2
> > Microsoft Visual Basic for Applications SDK 6.3
> >
> > Products which include the affected software:
> > Microsoft Access 97
> > Microsoft Access 2000
> > Microsoft Access 2002
> > Microsoft Excel 97
> > Microsoft Excel 2000
> > Microsoft Excel 2002
> > Microsoft PowerPoint 97
> > Microsoft PowerPoint 2000
> > Microsoft PowerPoint 2002
> > Microsoft Project 2000
> > Microsoft Project 2002
> > Microsoft Publisher 2002
> > Microsoft Visio 2000
> > Microsoft Visio 2002
> > Microsoft Word 97
> > Microsoft Word 98(J)
> > Microsoft Word 2000
> > Microsoft Word 2002
> > Microsoft Works Suite 2001
> > Microsoft Works Suite 2002
> > Microsoft Works Suite 2003
> > Microsoft Business Solutions Great Plains 7.5
> > Microsoft Business Solutions Dynamics 6.0
> > Microsoft Business Solutions Dynamics 7.0
> > Microsoft Business Solutions eEnterprise 6.0
> > Microsoft Business Solutions eEnterprise 7.0
> > Microsoft Business Solutions Solomon 4.5
> > Microsoft Business Solutions Solomon 5.0
> > Microsoft Business Solutions Solomon 5.5
> >
> > Impact: Run code of attackers choice
> > Max Risk: Critical
> > Bulletin: MS03-037
> >
> > Microsoft encourages customers to review the Security Bulletins
> > at:
> > http://www.microsoft.com/technet/security/bulletin/MS03-037.asp
> > http://www.microsoft.com/security/security_bulletins/ms03-037.asp
> > - =
----------------------------------------------------------------------
> >
> > Issue:
> > =3D=3D=3D=3D=3D=3D
> > Microsoft VBA is a development technology for developing client
> > desktop packaged applications and integrating them with existing
> > data and systems. Microsoft VBA is based on the Microsoft Visual
> > Basic development system. Microsoft Office products include VBA
> > and make use of VBA to perform certain functions. VBA can also be
> > used to build customized applications based around an existing
> > host application.
> >
> > A flaw exists in the way VBA checks document properties passed to
> > it when a document is opened by the host application. A buffer
> > overrun exists which if exploited successfully could allow an
> > attacker to execute code of their choice in the context of the
> > logged on user.
> >
> > In order for an attack to be successful, a user would have to
> > open a specially crafted document sent to them by an attacker.
> > This document could be any type of document that supports VBA,
> > such as a Word document, Excel spreadsheet, PowerPoint
> > presentation. In the case where Microsoft Word is being used as
> > the HTML e-mail editor for Microsoft Outlook, this document could
> > be an e-mail, however the user would need to reply to, or forward
> > the mail message in order for the vulnerability to be exploited.
> >
> > Mitigating Factors:
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > - -The user must open a document sent to them by an attacker in
> > order for this vulnerability to be exploited.
> > - -When Microsoft Word is being used as the HTML e-mail editor in
> > Outlook, a user would need to reply to or forward a malicious e-
> > mail document sent to them in order for this vulnerability to be
> > exploited.
> > - -An attacker's code could only run with the same rights as the
> > logged on user. The specific privileges the attacker could gain
> > through this vulnerability would therefore depend on the
> > privileges granted to the user. Any limitations on a user's
> > account, such as those applied through Group Policies, would also
> > limit the actions of any arbitrary code executed by this
> > vulnerability.
> >
> > Risk Rating:
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > - Critical
> >
> > Patch Availability:
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > - A patch is available to fix this vulnerability. Please read
> > the Security Bulletins at
> > http://www.microsoft.com/technet/security/bulletin/ms03-037.asp
> > http://www.microsoft.com/security/security_bulletins/ms03-037.asp
> > for information on obtaining this patch.
> >
> > Acknowledgment:
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > - eEye Digital Security, http://www.eeye.com
> >
> >
MJH
To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
For more info:
//www.freelists.org/cgi-bin/list?list_id=3Dpctechtalk
To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
For more info:
//www.freelists.org/cgi-bin/list?list_id=pctechtalk
Other related posts:
- » -=PCTechTalk=- Re: Fw: Microsoft Security Bulletin MS03-037: Flaw in Visual B... :VSMail mx3
