search menu icon-carat-right cmu-wordmark

CERT Coordination Center

MS Excel XLM Text Macro execution fails to trigger warning when default medium security set

Vulnerability Note VU#26493

Original Release Date: 2002-09-27 | Last Revised: 2002-09-27


Excel fails to present a warning dialog when a macro is called from an external XLM (text macro) file.


If a spreadsheet contains a reference to an external macro (XLM) file, Excel does not generate the usual warning dialog asking if the user wants to run the macro. Microsoft reports that the macros can not be automatically executed, and that the user must trigger the macro. It is possible that actions such as changing the cell focus are sufficient to trigger a macro however. The file types that may include a reference to an external macro include: comma separated values, tab delimited text, and data interchange format. Excel 97 and Excel 2000 have this vulnerability.

Microsoft has published a security bulletin with additional information at:


Users may be tricked into executing an Excel macro, allowing the creator of the spreadsheet to execute arbitrary commands as the user opening the spreadsheet.


Apply a Patch

Microsoft has produced patches to correct this vulnerability. The patches are referenced in their advisory at:

Set Macro Security Level to"High"

Setting the macro execution security level to "High", will prevent the macros from running.

Vendor Information

Affected   Unknown   Unaffected

Microsoft Corporation

Updated:  July 16, 2002



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Microsoft has published a security advisory on this topic at:

CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A



Microsoft credits Darryl Higa for finding this vulnerability.

This document was written by Cory F. Cohen.

Other Information

CVE IDs: CVE-2000-0277
Severity Metric: 4.01
Date Public: 2000-04-03
Date First Published: 2002-09-27
Date Last Updated: 2002-09-27 17:39 UTC
Document Revision: 3

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.