Skip navigation
Menu
Security

Multiple Vulnerabilities in Microsoft Excel, Office XP, and Word

Reported June 19, 2002, by Microsoft.

VERSIONS AFFECTED

 

·         Microsoft Excel 2002 for Windows

·         Microsoft Excel 2000 for Windows

·         Microsoft Office XP for Windows

·         Microsoft Office 2000 for Windows

·         Microsoft Word 2002 for Windows

 

DESCRIPTION

Multiple vulnerabilities exist in Excel, Office XP, and Word for Windows, all of which enable an attacker to execute macro code on the vulnerable system. These four newly discovered vulnerabilities are:

·         An Excel macro execution vulnerability that relates to how the system handles inline macros associated with objects. This vulnerability can enable macros to execute and bypass the Macro Security Model when an affected user clicks an object in a workbook.

·         An Excel macro execution vulnerability that relates to how the system handles macros in workbooks when a user opens those workbooks from a hyperlink on a drawing shape. It's possible for an attacker to automatically run workbook macros so invoked.

·         An HTML script execution vulnerability that can occur when a user opens an Excel workbook with an XSL stylesheet containing HTML script. An attacker can run the script within the XSL stylesheet in the local computer zone.

·         A new variant of the Word Mail Merge vulnerability first addressed in Security Bulletin MS00-071 (Patch Available for "Word Mail Merge" Vulnerability). This new variant lets an attacker's macro code run automatically if the affected user has Access on the system and chooses to open a mail-merge document that the user had saved in HTML format.

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS02-031 (Cumulative Patches for Excel and Word for Windows) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin. These patches are cumulative and address all previously discovered vulnerabilities in the affected products.

 

CREDIT
Discovered by the dH team, Darryl Higa, and SECURITY.NNOV.

TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024