NI3
11-13-2003, 11:19 AM
TITLE:
Microsoft Word and Excel Execution of Arbitrary Code
SECUNIA ADVISORY ID:
SA10194
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
From remote
SOFTWARE:
Microsoft Word 98(J)
Microsoft Word 97
Microsoft Word 2002
Microsoft Word 2000
Microsoft Office 97
Microsoft Office 2000
DESCRIPTION:
Microsoft has issued patches for Microsoft Excel and Word which fix
two vulnerabilities allowing malicious people to execute arbitrary
code.
It is possible to create Excel documents which can bypass the Macro
security check in Microsoft Excel. This can be exploited by malicious
people to execute arbitrary Macro code. Macro code can perform the
same actions as the current user.
The length of Macro names isn't properly verified in Word. This can
be exploited to cause a buffer overflow which may cause Word to crash
and possibly to execute arbitrary code.
This may be exploited automatically in Internet Explorer by a
malicious website because Internet Explorer automatically launches
the helper application which is installed by Microsoft Office.
SOLUTION:
Patches are available:
Microsoft Excel 97
[Only registered and activated users can see links]
Microsoft Excel 2000
[Only registered and activated users can see links]
Microsoft Excel 2002
[Only registered and activated users can see links]
Microsoft Word 97
[Only registered and activated users can see links]
Microsoft Word 98(J)
[Only registered and activated users can see links]
Microsoft Word 2000 and Microsoft Works Suite 2001
[Only registered and activated users can see links]
Microsoft Word 2002, Microsoft Works Suite 2002, Microsoft Works
Suite 2003, and Microsoft Works Suite 2004
[Only registered and activated users can see links]
REPORTED BY / CREDITS:
Kazuyuki Housaka
ORIGINAL ADVISORY:
Vulnerability in Microsoft Word and Microsoft Excel Could Allow
Arbitrary Code to Run (831527)
[Only registered and activated users can see links]
----------------------------------------------------------------------
Microsoft Word and Excel Execution of Arbitrary Code
SECUNIA ADVISORY ID:
SA10194
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
From remote
SOFTWARE:
Microsoft Word 98(J)
Microsoft Word 97
Microsoft Word 2002
Microsoft Word 2000
Microsoft Office 97
Microsoft Office 2000
DESCRIPTION:
Microsoft has issued patches for Microsoft Excel and Word which fix
two vulnerabilities allowing malicious people to execute arbitrary
code.
It is possible to create Excel documents which can bypass the Macro
security check in Microsoft Excel. This can be exploited by malicious
people to execute arbitrary Macro code. Macro code can perform the
same actions as the current user.
The length of Macro names isn't properly verified in Word. This can
be exploited to cause a buffer overflow which may cause Word to crash
and possibly to execute arbitrary code.
This may be exploited automatically in Internet Explorer by a
malicious website because Internet Explorer automatically launches
the helper application which is installed by Microsoft Office.
SOLUTION:
Patches are available:
Microsoft Excel 97
[Only registered and activated users can see links]
Microsoft Excel 2000
[Only registered and activated users can see links]
Microsoft Excel 2002
[Only registered and activated users can see links]
Microsoft Word 97
[Only registered and activated users can see links]
Microsoft Word 98(J)
[Only registered and activated users can see links]
Microsoft Word 2000 and Microsoft Works Suite 2001
[Only registered and activated users can see links]
Microsoft Word 2002, Microsoft Works Suite 2002, Microsoft Works
Suite 2003, and Microsoft Works Suite 2004
[Only registered and activated users can see links]
REPORTED BY / CREDITS:
Kazuyuki Housaka
ORIGINAL ADVISORY:
Vulnerability in Microsoft Word and Microsoft Excel Could Allow
Arbitrary Code to Run (831527)
[Only registered and activated users can see links]
----------------------------------------------------------------------