Lock IT Down: Critical flaw in VBA could be next target for hackers

If you overlook this important security flaw, youre putting your system at risk

Microsoft has released five new Security Bulletins, MS03-034, MS03-035, MS03-036, MS03-037, and MS03-038, ranging in severity from Low to Critical. The most significant of these bulletins is MS03-037, "Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution," which describes a buffer overrun that can lead to the complete compromise of a vulnerable system.

MS03-037 is a buffer overrun threat that can allow an attacker to run any arbitrary code on a vulnerable system merely by enticing a user to open a Word document (which can be done over the Web via Internet Explorer). The problem lies in the way Microsoft Visual Basic for Applications (VBA) validates the necessity to load on a system when a document is opened. Because VBA doesn't correctly check the parameters that are passed to it from the document, a buffer overrun can be triggered, allowing arbitrary code to run on the vulnerable system.

The MS03-037 bulletin lists only VBA Software Development Kit (SDK) 5.0, 6.0, and 6.1 as being vulnerable to this flaw, but the related Knowledge Base Article (822715) says that the bulletin also applies to these products:
  • All versions of Word since Windows 97
  • Access 2000 and 2002
  • Excel 97 through 2002
  • PowerPoint 97 through 2002
  • Project 2000 and 2002
  • Publisher 2002
  • Visio 2000 and 2002 (most editions)
  • Works Suite 2001 through 2003
  • Office 2000 (all versions)
  • Office XP (all versions)

VBA is an integral part of Microsoft development platforms, so this problem affects Word, Excel, other Office applications, and any other apps that use VBA. In practice, virtually every Windows system will be vulnerable to this threat.

Users of Microsoft Business Solutions Dynamics 7.0, eEnterprise 7.0, Solomon IV 4.5, and Solomon IV 5.0 are probably also affected, with the usual caveat that Microsoft doesn't necessarily report on vulnerabilities in software that is no longer supported.

Risk level—Critical
This widespread threat can allow an attacker to run any arbitrary code on the vulnerable system merely by having a user open an infected document.

Mitigating factors
There are several mitigating factors, but the most important ones are that the attacker's code can run only with the same rights as the user who is logged on and opens the document. Also, where Word is used as the HTML e-mail editor (the default in Office XP), merely opening an e-mail containing an infected document would not cause an infection; however, forwarding or replying to the message would activate the attack.

�Microsoft says that you can determine whether VBA is running on your system and which version is installed by looking for the following files:
  • C:\Program Files\Common Files\Microsoft Shared\VBA\vbe.dll—If this file is present, you have VBA 5.0.
  • C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\vbe6.dll—If this file is present, you have VBA 6.0.

Fix—patch multiple apps
Unfortunately, most corporate networks will have more than one of the vulnerable applications installed. The really bad news for administrators is that there isn't one overall patch that works across the board. Microsoft says you may need to install multiple patches. For example, there are VBA patches, but if you have both Visio and Office, you will most likely need to apply a different patch to each.

Patches (definitely plural) are available. See MS03-037 for details and links to the various patches. These patches may require a reboot and cannot be uninstalled. The patches repair the way VBA checks the data passed to it when a document is opened.

Final word
After several weeks with few or no major Microsoft security flaws being reported, the Microsoft Security Bulletin service is back with a vengeance, releasing five new bulletins. If you're new to Microsoft security, perhaps you don't know that all new security bulletins are published late on Wednesday or early Thursday morning each week, giving administrators a chance to put in some overtime over the weekend if they can't test and deploy critical patches by Friday of the week that they are released.

Also watch out for...
Just a few days after I read on that Symantec was instituting a new rights management package next year and a price increase for future update subscriptions, I attempted a regular update of my Norton AntiVirus package—and LiveUpdate now strangely reports that I am running a prerelease or beta version of Symantec Norton AntiVirus 2003 not supported by Symantec. Just a word to the wise: Keep an eye on those updates your company has paid for to make certain that they are being performed correctly. That obviously applies especially to any telecommuters and mobile workers you support. Now back to the other Microsoft threats released this week. MS03-034, "Flaw in NetBIOS Could Lead to Information Disclosure," is a Low-rated threat that can result in an information disclosure event that affects Microsoft Windows NT 4.0 Server, Windows NT 4.0 Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003. Windows Me is not affected. MS03-035, "Flaw in Microsoft Word Could Enable Macros to Run Automatically," is rated Important and applies to all versions of Word, as well as to Microsoft Works Suites. Patches are available and don't require a reboot, but they can't be removed. MS03-036, "Buffer Overrun in WordPerfect Converter Could Allow Code Execution," is rated a Moderate threat. It affects Microsoft Office 97, 2000, and XP, Microsoft Word 98 (Japanese version only), Microsoft FrontPage 2000 and 2002, Microsoft Publisher 2000 and 2002, and Microsoft Works Suite 2001, 2002, and 2003. Patches are available and don't require a system reboot, although they can't be removed. MS03-038, "Unchecked Buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution," is a Moderate threat that affects Microsoft Access 97, 2000, and 2002, as well as users who have downloaded the Microsoft Access Snapshot Viewer. Affected users and managers need to apply the patch, which doesn't require a reboot and can't be uninstalled.


Editor's Picks

Free Newsletters, In your Inbox