<<< Date Index >>>     <<< Thread Index >>>

Alert: Microsoft Security Bulletin - MS03-035


Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653)

Originally posted: September 03, 2003


Who should read this bulletin: Customers who are using Microsoft® Word

Impact of vulnerability: Run macros without warning

Maximum Severity Rating: Important

Recommendation: Customers who are using affected versions of Microsoft Word 
should apply the security patch immediately.

End User Bulletin:
An end user version of this bulletin is available at: 


Affected Software: 
- Microsoft Word 97</li> 
- Microsoft Word 98 (J)</li> 
- Microsoft Word 2000</li> 
- Microsoft Word 2002</li> 
- Microsoft Works Suite 2001</li>
- Microsoft Works Suite 2002</li>
- Microsoft Works Suite 2003</li>

Technical description: 

A macro is a series of commands and instructions that can be grouped together 
as a single command to accomplish a task automatically. Microsoft Word supports 
the use of macros to allow the automation of commonly performed tasks. Since 
macros are executable code it is possible to misuse them, so Microsoft Word has 
a security model designed to validate whether a macro should be allowed to 
execute depending on the level of macro security the user has chosen.

A vulnerability exists because it is possible for an attacker to craft a 
malicious document that will bypass the macro security model. If the document 
was opened, this flaw could allow a malicious macro embedded in the document to 
be executed automatically, regardless of the level at which macro security is 
set. The malicious macro could take the same actions that the user had 
permissions to carry out, such as adding, changing or deleting data or files, 
communicating with a web site or formatting the hard drive. 

The vulnerability could only be exploited by an attacker who persuaded a user 
to open a malicious document -there is no way for an attacker to force a 
malicious document to be opened.

Mitigating factors:
- The user must open the malicious document for an attacker to be successful. 
An attacker cannot force the document to be opened automatically.
- The vulnerability cannot be exploited automatically through e-mail. A user 
must open an attachment sent in e-mail for an e-mail borne attack to be 
- By default, Outlook 2002 block programmatic access to the Address Book. In 
addition, Outlook 98 and 2000 block programmatic access to the Outlook Address 
Book if the Outlook Email Security Update has been installed. Customers who use 
any of these products would not be at risk of propagating an e-mail borne 
attack that attempted to exploit this vulnerability.
- The vulnerability only affects Microsoft Word - other members of the Office 
product family are not affected.

Vulnerability identifier:  CAN-2003-0664

This email is sent to NTBugtraq automatically as a service to my subscribers. 

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Whatever Happened to Octopus?

LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.