Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft заткнул дырку в XLM-файлах Excel

From:MICROSOFT <secure_(at)_microsoft.com>
Date:03.04.2000
Subject:Security Bulletin (MS00-022)

Patch Available for "XLM Text Macro" Vulnerability

Originally Posted: April 03, 2000

Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Excel. The vulnerability could allow  a
macro to run without generating the expected security warning.

Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/technet/security/bulletin/fq00-022.asp.

Issue
=====
When an Excel user starts a macro that resides outside of the current
spreadsheet (for example, in another spreadsheet),  Excel by design
will generate a warning dialogue. However, this dialogue is not
generated if the macro consists of Excel 4.0  Macro Language (XLM)
commands in an external text file.

The vulnerability only affects whether a warning dialogue is displayed
- - it does not change any other aspects of the macro's  operation. A
malicious user would need to entice a user into accepting the
spreadsheet and opening it. Further, there is no  means to
"autolaunch" such a macro, so the malicious user would need to entice
the user into clicking a link into to launch  the macro.

Affected Software Versions
==========================
- Microsoft Excel 97
- Microsoft Excel 2000

Note: Excel ships as a stand-alone product, and also as a member of
the Office family.

Note: Previous versions of Excel may be affected by this
vulnerability. The recommended course of action for customers using
these products is to upgrade to either Excel 97 or 2000, and apply the
patch for them.

Patch Availability
==================
- Excel 97:
  http://www.officeupdate.com/downloadDetails/Xl8p9pkg.htm?
     s=/downloadCatalog/dldExcel.asp
  Note: A line break has been inserted into the above URL
     for readability.
  Note: This patch requires Office 97 Service Release 2
- Excel 2000:
  This vulnerability is eliminated in Office Service Release 1,
  which is available at
  http://www.officeupdate.com/2000/downloadDetails/O2kSR1DDL.htm

Note: Additional security patches are available at the Microsoft
Download Center.

More Information
================
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS00-022: Frequently Asked Questions,
  http://www.microsoft.com/technet/security/bulletin/fq00-022.asp
- Microsoft Knowledge Base (KB) article Q255605,
  XL2000: Macro Virus Warning Does Not Appear When You Open a Text
  File That Contains XLM Code,
  http://www.microsoft.com/technet/support/kb.asp?ID=255605.
- Microsoft Knowledge Base (KB) article Q255606,
  XL97: Macro Virus Warning Does Not Appear When You Open a Text
  File That Contains XLM Code,
  http://www.microsoft.com/technet/support/kb.asp?ID=255606.
- Microsoft TechNet Security web site,
  http://www.microsoft.com/technet/security/default.asp.

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft thanks Darryl Higa for reporting this issue to us and
working with us to protect customers.

Revisions
=========
April 03, 2000: Bulletin Created.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod