[<prev] [next>] [day] [month] [year] [list]
Message-ID: <28915501A44DBA4587FE1019D675F983093BA8@grfint.intern.adiscon.com>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: FW: Microsoft Security Bulletin MS03-035: Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)
Excellent piece of Microsoft software...
Can't even install it on Word 2002 German on WinXP German. The patch
says (translated) "did not find the product expected". I then tried the
office update site. That fails with an general error, telling me I
should review my security settings.
Bottom line: nice patch, but can't install...
Am I now guilty of lazyness if I do not patch?
Anyone else with similar problems?
Rainer Gerhards
> -----Original Message-----
> From: Microsoft
> [mailto:0_51912_A303F73D-CBD5-4F48-8040-2B7DCAAAC7DF_DE@...sle
> tters.Microsoft.com]
> Sent: Thursday, September 04, 2003 6:41 AM
> To: Rainer Gerhards
> Subject: Microsoft Security Bulletin MS03-035: Flaw in
> Microsoft Word Could Enable Macros to Run Automatically(827653)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> - -------------------------------------------------------------------
> Title: Flaw in Microsoft Word Could Enable Macros to Run
> Automatically (827653)
> Date: September 3, 2003
> Software: Microsoft Word 97
> Microsoft Word 98 (J)
> Microsoft Word 2000
> Microsoft Word 2002
> Microsoft Works Suite 2001
> Microsoft Works Suite 2002
> Microsoft Works Suite 2003
> Impact: Run macros without warning
> Max Risk: Important
> Bulletin: MS03-035
>
> Microsoft encourages customers to review the Security Bulletins at:
>
> http://www.microsoft.com/technet/security/bulletin/MS03-035.asp
> http://www.microsoft.com/security/security_bulletins/MS03-035.asp
>
> - -------------------------------------------------------------------
>
> Issue:
> ======
> A macro is a series of commands and instructions that can be
> grouped together as a single command to accomplish a task
> automatically. Microsoft Word supports the use of macros to allow
> the automation of commonly performed tasks. Since macros are
> executable code it is possible to misuse them, so Microsoft Word
> has a security model designed to validate whether a macro should be
> allowed to execute depending on the level of macro security the
> user has chosen.
>
> A vulnerability exists because it is possible for an attacker to
> craft a malicious document that will bypass the macro security
> model. If the document was opened, this flaw could allow a
> malicious macro embedded in the document to be executed
> automatically, regardless of the level at which macro security is
> set. The malicious macro could take the same actions that the user
> had permissions to carry out, such as adding, changing or deleting
> data or files, communicating with a web site or formatting the hard
> drive.
>
> The vulnerability could only be exploited by an attacker who
> persuaded a user to open a malicious document - there is no way for
> an attacker to force a malicious document to be opened.
>
> Mitigating Factors:
> ====================
> - The user must open the malicious document for an attacker to be
> successful. An attacker cannot force the document to be opened
> automatically.
>
> - The vulnerability cannot be exploited automatically through e-
> mail. A user must open an attachment sent in e-mail for an e-
> mail borne attack to be successful.
>
> - By default, Outlook 2002 block programmatic access to the
> Address Book. In addition, Outlook 98 and 2000 block
> programmatic access to the Outlook Address Book if the Outlook
> Email Security Update has been installed. Customers who use any
> of these products would not be at risk of propagating an e-mail
> borne attack that attempted to exploit this vulnerability.
>
> - The vulnerability only affects Microsoft Word - other members of
> the Office product family are not affected.
>
> Risk Rating:
> ============
> -Important
>
> Patch Availability:
> ===================
> - A patch is available to fix this vulnerability. Please read the
> Security Bulletins at
>
> http://www.microsoft.com/technet/security/bulletin/MS03-035.asp
> http://www.microsoft.com/security/security_bulletins/MS03-035.asp
>
> for information on obtaining this patch.
>
> Acknowledgment:
> ===============
> - Jim Bassett of Practitioners Publishing Company
> (http://www.ppcnet.com)
> - -------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
> PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
> ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
> OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
> EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
> ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
> CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
> MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
> OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
> SO THE FOREGOING LIMITATION MAY NOT APPLY.
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2
>
> iQEVAwUBP1UvR40ZSRQxA/UrAQE0jwf8Dzm8/NCPSiH+BP7ePKRl66a9rawIDdlu
> V+52lARZNbRkBNU00U8ImEzilgfIbgj0HZkcb4GpaQLUsPbYSuyiyu9PrKn0i+/j
> JTaZOg48YJYZzhFOq+drUAMmwMQAkD3xb9fCrSxqET4/K4/55qiJW5uyOlH9RZ3K
> BS6fhpmrQhOHGRU1gxWDbnRwWZmaqqMCr4WlGJZKZRH3L6kXwEfoH77Xq/v8BiXC
> y0a6YqMpmA/Jd3Dpx8ByQBMTEfr2eHmMR9WDBowCip4iQ+p/Qorn8q6JpVlm8mhr
> G+fCshh3bCiniTX5cXt+9B4yVqnpYXHefB0Vt5mfi6/bavgbiqdt4A==
> =ZJEd
> -----END PGP SIGNATURE-----
>
>
>
> *******************************************************************
>
> You have received this e-mail bulletin because of your
> subscription to the Microsoft Product Security Notification
> Service. For more information on this service, please visit
> http://www.microsoft.com/technet/security/noti> fy.asp.
>
> To
> verify the digital signature on this bulletin,
> please download our PGP key at
> http://www.microsoft.com/technet/security/noti> fy.asp.
>
> To
> unsubscribe from the Microsoft Security
> Notification Service, please visit the Microsoft Profile
> Center at http://register.microsoft.com/regsys/pic.asp
>
> If you do not wish to use Microsoft Passport, you can
> unsubscribe from the Microsoft Security Notification Service
> via email as described below:
> Reply to this message with the word UNSUBSCRIBE in the Subject line.
>
> For security-related information about Microsoft products,
> please visit the Microsoft Security Advisor web site at
http://www.microsoft.com/security.
Powered by blists - more mailing lists