Flaw in Microsoft Word could enable macros to run automatically (827653)


The information in this article applies to:

  • Microsoft Word 2002
  • Microsoft Word 2000
  • Microsoft Word for Windows 98 (Japanese)
  • Microsoft Word 97 for Windows
  • Microsoft Works Suite 2001
  • Microsoft Works Suite 2002
  • Microsoft Works Suite 2003

SYMPTOMS

A macro is a series of commands and instructions that you group as a single command to complete a task automatically. Microsoft Word supports the use of macros to allow the automation of frequently performed tasks. Because macros are executable code, you can misuse them, so Word has a security model that is designed to validate if a macro should be allowed to run depending on the level of macro security that the user has chosen.

A vulnerability exists because an attacker can craft a malicious document that will bypass the macro security model. If the document was opened, this flaw could permit a malicious macro embedded in the document to be executed automatically, regardless of the level that the macro security is set to. The malicious macro could take the same actions that the user had permissions to carry out such as adding, changing, deleting data or files, communicating with a Web site, or formatting the hard disk.

The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious document. There is no way for an attacker to force a malicious document to be opened.

Mitigating factors
  • The user must open the malicious document for an attacker to be successful. An attacker cannot force the document to be opened automatically.
  • The vulnerability cannot be exploited automatically through e-mail. A user must open an attachment sent in e-mail for an e-mail borne attack to be successful.
  • By default, Microsoft Outlook Express 6.0 and Microsoft Outlook 2002 block programmatic access to their Address Books. Additionally, Microsoft Outlook 98 and Microsoft Outlook 2000 block programmatic access to the Outlook Address Book if the Outlook E-mail Security Update has been installed. Customers who use any of these products would not be at risk of propagating an e-mail borne attack that tried to exploit this vulnerability.
  • The vulnerability only affects Microsoft Word - other members of the Microsoft Office product family are not affected.

RESOLUTION

Security Patch Information

Download and Installation Information

Word 2002

If you are running Word 2002, apply the Word 2002 patch. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824934 Description of the Word 2002 Security Patch: September 3, 2003

Word 2000

If you are running Word 2000, apply the Word 2000 patch. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

824936 Description of the Word 2000 Security Patch: September 3, 2003

Word 97 and Word for Windows 98 (Japanese)

If you are running either Word 97 or Word for Windows 98 Japanese, apply the Word 97 or Word for Windows 98 Japanese patch. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

827647 Overview of the Word 97 Security Hotfix: September 3, 2003

Works Suite

If you are running Microsoft Works Suite, you should use Office Update to detect and install the appropriate patch. To view the Office Update, visit the following Microsoft Web site:

http://www.office.microsoft.com/ProductUpdates/default.aspx

Removal Information

This patch cannot be removed.

Patch Replacement Information

This patch does not replace any other hotfixes.

REFERENCES

For more information about these vulnerabilities, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-035.mspx

Modification Type:MinorLast Reviewed:7/3/2006
Keywords:kbBug kbfix KbSECVulnerability kbSecurity KbSECBulletin KB827653 kbAudITPRO kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.