Subscribe to this blog
The first flaw affects any program that uses Visual Basic for Applications--a programming language common to all Office apps, as well as Publisher, Visio, and others.
Microsoft didn't make VBA bulletproof. It has an "unchecked buffer" that, if exploited by malicious code, could let an attacker take over your PC. Buffer checkers are like the safety cutoff valves in self-serve gasoline pumps. When your tank--or in this case, a buffer meant to hold data until it's needed--is full, the pump automatically shuts off. But the VBA buffer lacks a shutoff valve. In theory, a miscreant may send you a malformed PowerPoint file, say, containing an attack macro capable of sending too much data to the buffer. If you load the file, the macro begins to execute. As the data overflows, the cracker's code moves to take over. See this Microsoft bulletin for a list of affected programs and a link to the fix.
The other two flaws affect Word (versions 97 through 2002) and Works Suite (versions 2001 through 2003). One of them involves macros. If you open a Word file containing a nasty macro, it can execute automatically and cause a lot of damage. Jump to Microsoft's site to get the patch.
The final vulnerability affects Corel WordPerfect word processor documents. If you need to be able to read WordPerfect files within Microsoft Word, you probably use Microsoft's file converter. But the converter has a hole consisting of another unchecked buffer that a miscreant could misuse by sending you an infected WordPerfect file. Again, at Microsoft's site you can download the patch and read details about other susceptible programs.
