SecurityvulnsSECURITYVULNS:DOC:8Security Bulletin (MS00-022)
Patch Available for "XLM Text Macro" Vulnerability
Originally Posted: April 03, 2000
Summary
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Excel. The vulnerability could allow a
macro to run without generating the expected security warning.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/technet/security/bulletin/fq00-022.asp.
Issue
When an Excel user starts a macro that resides outside of the current
spreadsheet (for example, in another spreadsheet), Excel by design
will generate a warning dialogue. However, this dialogue is not
generated if the macro consists of Excel 4.0 Macro Language (XLM)
commands in an external text file.
The vulnerability only affects whether a warning dialogue is displayed
-
- it does not change any other aspects of the macro's operation. A
malicious user would need to entice a user into accepting the
spreadsheet and opening it. Further, there is no means to
"autolaunch" such a macro, so the malicious user would need to entice
the user into clicking a link into to launch the macro.
- it does not change any other aspects of the macro's operation. A
Affected Software Versions
- Microsoft Excel 97
- Microsoft Excel 2000
Note: Excel ships as a stand-alone product, and also as a member of
the Office family.
Note: Previous versions of Excel may be affected by this
vulnerability. The recommended course of action for customers using
these products is to upgrade to either Excel 97 or 2000, and apply the
patch for them.
Patch Availability
- Excel 97:
http://www.officeupdate.com/downloadDetails/Xl8p9pkg.htm?
s=/downloadCatalog/dldExcel.asp
Note: A line break has been inserted into the above URL
for readability.
Note: This patch requires Office 97 Service Release 2 - Excel 2000:
This vulnerability is eliminated in Office Service Release 1,
which is available at
http://www.officeupdate.com/2000/downloadDetails/O2kSR1DDL.htm
Note: Additional security patches are available at the Microsoft
Download Center.
More Information
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS00-022: Frequently Asked Questions,
http://www.microsoft.com/technet/security/bulletin/fq00-022.asp - Microsoft Knowledge Base (KB) article Q255605,
XL2000: Macro Virus Warning Does Not Appear When You Open a Text
File That Contains XLM Code,
http://www.microsoft.com/technet/support/kb.asp?ID=255605. - Microsoft Knowledge Base (KB) article Q255606,
XL97: Macro Virus Warning Does Not Appear When You Open a Text
File That Contains XLM Code,
http://www.microsoft.com/technet/support/kb.asp?ID=255606. - Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp.
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks Darryl Higa for reporting this issue to us and
working with us to protect customers.
Revisions
April 03, 2000: Bulletin Created.