SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#804780

Microsoft Visual Basic for Applications (VBA) does not adequately validate document properties

Overview

Microsoft Visual Basic for Applications (VBA) contains a buffer overflow when validating document properties. This vulnerability could allow an attacker to execute arbitrary code with the privileges of the user running VBA.

I. Description

From Microsoft Security Bulletin MS03-037:

    Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. Microsoft VBA is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and make use of VBA to perform certain functions. VBA can also be used to build customized applications based around an existing host application.

A VBA subsystem, the Visual Basic Design Time Environment (VBE), does not adequately validate certain data passed to it from documents that contain VBA code:
    A flaw exists in the way VBA checks document properties passed to it when a document is opened by the host application. When a document is opened by an application that supports Microsoft VBA, the host application carries out a check to determine whether Microsoft VBA is required by the document and should therefore be loaded. During this initial check some document properties are passed to Microsoft VBA - a flaw exists because Microsoft VBA does not correctly validate the data that is passed to it during this initial phase.
VBE is implemented in vbe.dll (VBA 5.0) or vbe6.dll (VBA 6.x).

An attacker could exploit this vulnerability by convincing a victim to open a document that contained specially crafted VBA code. If Word is configured as the email editor for Outlook, an exploit could be delivered via an email message. In this case, the victim would have to reply to or forward the message in order to trigger the exploit. Also, since certain types of Office files are automatically opened by Internet Explorer (IE), an attacker could convince the victim to load a crafted document from a web site.

VBA is included in a number of Microsoft products including Office (Word, Excel, PowerPoint, Access), Publisher, Project, Visio, Works Suite, and Business Solutions (Great Plains, Dynamics, eEnterprise, Solomon). In addition, non-Microsoft products that use VBA may be affected. Per MS03-037:
    Microsoft has worked with 3rd parties who develop applications using Microsoft VBA to make sure they are aware of this security vulnerability and that they have the necessary updates to Microsoft VBA to incorporate in their products. You should contact your software vendor to obtain updates for any non-Microsoft applications that use Microsoft VBA.
This vulnerability is described in Microsoft Security Bulletin MS03-037 and eEye Digital Security advisory AD20030903-2.

II. Impact

By convincing a victim to open a specially crafted document, an attacker could execute arbitrary code with the privileges of the victim.

III. Solution

Apply patch

Apply the appropriate patch referenced in Microsoft Security Bulletin MS03-037.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable12-Sep-2003

References


http://www.eeye.com/html/Research/Advisories/AD20030903-2.html
http://www.microsoft.com/technet/security/bulletin/MS03-037.asp
http://www.microsoft.com/security/security_bulletins/ms03-037.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;822715
http://www.secunia.com/advisories/9666/

Credit

Microsoft credits eEye Digital Security with discovering and reporting this vulnerability. Information used in this document came from Microsoft and eEye Digital Security.

This document was written by Art Manion.

Other Information

Date Public:2003-09-03
Date First Published:2003-09-14
Date Last Updated:2003-09-15
CERT Advisory: 
CVE-ID(s):CAN-2003-0347
NVD-ID(s):CAN-2003-0347
US-CERT Technical Alerts: 
Metric:16.83
Document Revision:30

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader