K
Kathy [MSFT]
MS03-037: Flaw in Visual Basic for Applications Could
Allow Arbitrary Code Execution
The information in this article applies to:
Microsoft Visual Basic for Applications (VBA) Software
Development Kit (SDK) 5.0
Microsoft Visual Basic for Applications (VBA) Software
Development Kit (SDK) 6.0
Microsoft Visual Basic for Applications (VBA) Software
Development Kit (SDK) 6.1
Microsoft Access 97
Microsoft Access 2000
Microsoft Access 2002
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 97 for Windows
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft PowerPoint 97 for Windows
Microsoft Project 2000
Microsoft Project 2002
Microsoft Publisher 2002
Microsoft Visio 2000 Enterprise Edition
Microsoft Visio 2000 Professional Edition
Microsoft Visio 2000 Standard Edition
Microsoft Visio 2000 Technical Edition
Microsoft Visio 2002 Professional
Microsoft Visio 2002 Standard
Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 97 for Windows
Microsoft Word for Windows 98 (Japanese)
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Office 2000 Premium
Microsoft Office 2000 Professional
Microsoft Office 2000 Standard
Microsoft Office XP Professional
Microsoft Office XP Standard
The information in this article also applies to:
Microsoft Business Solutions Dynamics 7.0
Microsoft Business Solutions eEnterprise 7.0
Microsoft Business Solutions Solomon IV 4.5
Microsoft Business Solutions Solomon IV 5.0
SYMPTOMS
Microsoft Visual Basic for Applications (VBA) is based on
the Microsoft Visual Basic development system. Microsoft
Office products include VBA and use it to perform certain
functions. You can use VBA to build customized programs
that are based on an existing host program.
A flaw exists in the way VBA checks document properties
passed to it when a document is opened by the host
program. A buffer overrun exists which, if exploited
successfully, could allow an attacker to execute code of
their choice in the context of the logged on user.
In order for an attack to be successful, the logged on
user would have to open a specially crafted document sent
to them by an attacker. This document could be any type
of document that supports VBA, such as a Microsoft Word
document, a Microsoft Excel spreadsheet, or a Microsoft
PowerPoint presentation. If Word is being used as the
HTML e-mail editor for Microsoft Outlook, this document
could be an e-mail message. However, the logged on user
must reply to or forward the malicious e-mail message in
order for the vulnerability to be exploited.
Mitigating factors
The logged on user must open a document that is sent to
them by an attacker in order for this vulnerability to be
exploited.
If Word is being used as the HTML e-mail editor in
Outlook, a user must reply to or forward a malicious e-
mail message that was sent to them by the attacker in
order for this vulnerability to be exploited.
An attacker's code could only run with the same rights as
the logged on user. The specific privileges the attacker
could gain through this vulnerability would therefore
depend on the privileges that are granted to the logged
on user. Any limitations on the logged on user's account,
such as those applied through Group Policies, would also
limit the actions of any arbitrary code executed by this
vulnerability.
RESOLUTION
Security Patch Information
Download and Installation Information
If you are using any of the following programs, you
should apply the VBA version of this patch:
Microsoft VBA 5.0
Microsoft VBA 6.0
Microsoft VBA 6.2
Microsoft VBA 6.3
Microsoft Access 97
Microsoft Excel 97
Microsoft PowerPoint 97
Microsoft Word 97
Microsoft Word 98(J)
Microsoft Works 2001
Microsoft Works 2002
Microsoft Works Suite 2003
Microsoft Business Solutions Great Plains 7.5
Microsoft Business Solutions Dynamics 6.0
Microsoft Business Solutions Dynamics 7.0
Microsoft Business Solutions eEnterprise 6.0
Microsoft Business Solutions eEnterprise 7.0
Microsoft Business Solutions Solomon IV 4.5
Microsoft Business Solutions Solomon IV 5.0
Microsoft Business Solutions Solomon IV 5.5
For additional information about the Microsoft VBA patch,
click the following article number to view the article in
the Microsoft Knowledge Base:
822150 VBASDK: Availability of the Microsoft VBA Security
Update for MS03-037
If you are using any of the following applications, you
should apply the specific version of the patch for those
products.
Microsoft Project 2000
Microsoft Project 2002
Microsoft Visio 2002
For additional information about these security patches,
click the following article numbers to view the articles
in the Microsoft Knowledge Base:
822211 Overview of the Microsoft Project 2002 Security
Patch: September 3, 2003
822478 Overview of the Microsoft Project 2000 Security
Patch: September 3, 2003
822212 Overview of the Visio 2002 Security Patch:
September 3, 2003
If you are using any of the following programs, you
should apply the specific version of the patch for those
products.
Microsoft Office 2000
Microsoft Office XP (including Microsoft Publisher 2002)
For additional information about these security patches,
click the following article numbers to view the articles
in the Microsoft Knowledge Base:
822036 Overview of the Office XP Security Patch:
September 3, 2003
822035 Overview of the Office 2000 Security Patch:
September 3, 2003
Removal Information
You cannot remove this patch.
Patch Replacement Information
This patch does not replace any other hotfixes.
REFERENCES
For more information about these vulnerabilities, visit
the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-
037.asp
Kathy Prince
Microsoft Support Lifecycle & Security
Program Manager
This posting is provided "AS IS" with no warranty and
confers no rights.
Allow Arbitrary Code Execution
The information in this article applies to:
Microsoft Visual Basic for Applications (VBA) Software
Development Kit (SDK) 5.0
Microsoft Visual Basic for Applications (VBA) Software
Development Kit (SDK) 6.0
Microsoft Visual Basic for Applications (VBA) Software
Development Kit (SDK) 6.1
Microsoft Access 97
Microsoft Access 2000
Microsoft Access 2002
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 97 for Windows
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft PowerPoint 97 for Windows
Microsoft Project 2000
Microsoft Project 2002
Microsoft Publisher 2002
Microsoft Visio 2000 Enterprise Edition
Microsoft Visio 2000 Professional Edition
Microsoft Visio 2000 Standard Edition
Microsoft Visio 2000 Technical Edition
Microsoft Visio 2002 Professional
Microsoft Visio 2002 Standard
Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 97 for Windows
Microsoft Word for Windows 98 (Japanese)
Microsoft Works Suite 2001
Microsoft Works Suite 2002
Microsoft Works Suite 2003
Microsoft Office 2000 Premium
Microsoft Office 2000 Professional
Microsoft Office 2000 Standard
Microsoft Office XP Professional
Microsoft Office XP Standard
The information in this article also applies to:
Microsoft Business Solutions Dynamics 7.0
Microsoft Business Solutions eEnterprise 7.0
Microsoft Business Solutions Solomon IV 4.5
Microsoft Business Solutions Solomon IV 5.0
SYMPTOMS
Microsoft Visual Basic for Applications (VBA) is based on
the Microsoft Visual Basic development system. Microsoft
Office products include VBA and use it to perform certain
functions. You can use VBA to build customized programs
that are based on an existing host program.
A flaw exists in the way VBA checks document properties
passed to it when a document is opened by the host
program. A buffer overrun exists which, if exploited
successfully, could allow an attacker to execute code of
their choice in the context of the logged on user.
In order for an attack to be successful, the logged on
user would have to open a specially crafted document sent
to them by an attacker. This document could be any type
of document that supports VBA, such as a Microsoft Word
document, a Microsoft Excel spreadsheet, or a Microsoft
PowerPoint presentation. If Word is being used as the
HTML e-mail editor for Microsoft Outlook, this document
could be an e-mail message. However, the logged on user
must reply to or forward the malicious e-mail message in
order for the vulnerability to be exploited.
Mitigating factors
The logged on user must open a document that is sent to
them by an attacker in order for this vulnerability to be
exploited.
If Word is being used as the HTML e-mail editor in
Outlook, a user must reply to or forward a malicious e-
mail message that was sent to them by the attacker in
order for this vulnerability to be exploited.
An attacker's code could only run with the same rights as
the logged on user. The specific privileges the attacker
could gain through this vulnerability would therefore
depend on the privileges that are granted to the logged
on user. Any limitations on the logged on user's account,
such as those applied through Group Policies, would also
limit the actions of any arbitrary code executed by this
vulnerability.
RESOLUTION
Security Patch Information
Download and Installation Information
If you are using any of the following programs, you
should apply the VBA version of this patch:
Microsoft VBA 5.0
Microsoft VBA 6.0
Microsoft VBA 6.2
Microsoft VBA 6.3
Microsoft Access 97
Microsoft Excel 97
Microsoft PowerPoint 97
Microsoft Word 97
Microsoft Word 98(J)
Microsoft Works 2001
Microsoft Works 2002
Microsoft Works Suite 2003
Microsoft Business Solutions Great Plains 7.5
Microsoft Business Solutions Dynamics 6.0
Microsoft Business Solutions Dynamics 7.0
Microsoft Business Solutions eEnterprise 6.0
Microsoft Business Solutions eEnterprise 7.0
Microsoft Business Solutions Solomon IV 4.5
Microsoft Business Solutions Solomon IV 5.0
Microsoft Business Solutions Solomon IV 5.5
For additional information about the Microsoft VBA patch,
click the following article number to view the article in
the Microsoft Knowledge Base:
822150 VBASDK: Availability of the Microsoft VBA Security
Update for MS03-037
If you are using any of the following applications, you
should apply the specific version of the patch for those
products.
Microsoft Project 2000
Microsoft Project 2002
Microsoft Visio 2002
For additional information about these security patches,
click the following article numbers to view the articles
in the Microsoft Knowledge Base:
822211 Overview of the Microsoft Project 2002 Security
Patch: September 3, 2003
822478 Overview of the Microsoft Project 2000 Security
Patch: September 3, 2003
822212 Overview of the Visio 2002 Security Patch:
September 3, 2003
If you are using any of the following programs, you
should apply the specific version of the patch for those
products.
Microsoft Office 2000
Microsoft Office XP (including Microsoft Publisher 2002)
For additional information about these security patches,
click the following article numbers to view the articles
in the Microsoft Knowledge Base:
822036 Overview of the Office XP Security Patch:
September 3, 2003
822035 Overview of the Office 2000 Security Patch:
September 3, 2003
Removal Information
You cannot remove this patch.
Patch Replacement Information
This patch does not replace any other hotfixes.
REFERENCES
For more information about these vulnerabilities, visit
the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-
037.asp
Kathy Prince
Microsoft Support Lifecycle & Security
Program Manager
This posting is provided "AS IS" with no warranty and
confers no rights.