Vulnerability Note VU#26493
MS Excel XLM Text Macro execution fails to trigger warning when default medium security set
Overview
Excel fails to present a warning dialog when a macro is called from an external XLM (text macro) file.
Description
If a spreadsheet contains a reference to an external macro (XLM) file, Excel does not generate the usual warning dialog asking if the user wants to run the macro. Microsoft reports that the macros can not be automatically executed, and that the user must trigger the macro. It is possible that actions such as changing the cell focus are sufficient to trigger a macro however. The file types that may include a reference to an external macro include: comma separated values, tab delimited text, and data interchange format. Excel 97 and Excel 2000 have this vulnerability. Microsoft has published a security bulletin with additional information at: |
Impact
Users may be tricked into executing an Excel macro, allowing the creator of the spreadsheet to execute arbitrary commands as the user opening the spreadsheet. |
Solution
Apply a Patch
|
Set Macro Security Level to"High"
|
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft Corporation | Affected | - | 16 Jul 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.microsoft.com/technet/security/bulletin/MS00-022.asp
- http://www.microsoft.com/technet/security/bulletin/MS00-022.asp?a=printable
- http://www.microsoft.com/technet/security/bulletin/fq00-022.asp
- http://www.microsoft.com/technet/support/kb.asp?ID=255605
- http://www.microsoft.com/technet/support/kb.asp?ID=255606
- http://www.officeupdate.com/2000/downloadDetails/O2kSR1DDL.htm
- http://www.officeupdate.com/downloadDetails/Xl8p9pkg.htm?s=/downloadCatalog/dldExcel.asp
Credit
Microsoft credits Darryl Higa for finding this vulnerability.
This document was written by Cory F. Cohen.
Other Information
- CVE IDs: CVE-2000-0277
- Date Public: 03 Apr 2000
- Date First Published: 27 Sep 2002
- Date Last Updated: 27 Sep 2002
- Severity Metric: 4.01
- Document Revision: 3
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.