The most serious flaw, in the Visual Basic for Applications (VBA) software, could allow an attacker to gain control of a vulnerable PC. VBA is used to develop desktop applications that tie into other Microsoft products.
As detailed in Microsoft's security bulletin, a malicious user could create a document with a VBA application that's designed to overflow the buffer -- the chunk of memory that's allocated to a program -- and then run other code.
The flaw affects recent versions of Office applications that support VBA scripting, including the 2002, 2000 and 97 versions of Access, Excel, PowerPoint and Word. It can also be used with Project 2002 and 2000, Visio 2002 and 2000 and Works Suite 2002, 2001 and 2000. Several applications sold under Microsoft's Business Solutions brand also are at risk, including version 7.5 of the Great Plains accounting software.
In most cases, a person would have to receive and open a maliciously crafted document to trigger an attack. If Microsoft's Outlook email client is set up to use Word as the default program for editing HTML Web code, however, the vulnerability could be exploited by responding to or forwarding a message with a malicious attachment.
Microsoft representatives urged customers to apply the proper patches -- as detailed in the security bulletin and at the Office Update site -- and to use sound email handling procedures.
"If you receive an attachment from someone you don't know, something you're not expecting, you should be very cautious," said Simon Marks, Microsoft product manager for Office.
Several other alerts also involve Office applications. A vulnerability in recent versions of Word could allow hackers to automatically run macros, which are mini-programs typically used to automate routine tasks. The flaw -- classified as "important" -- requires opening a maliciously crafted document, according to the security bulletin. Customers using Word 2002, 2000, 98 or 97 or Works Suite 2003, 2002 or 2001 are urged to apply the patch, as described in the bulletin.
Another flaw exploits a potential buffer overflow arising from the way Office applications convert documents created in formats associated with Corel's WordPerfect software. The security hole -- described as "important" -- appears in recent versions of Office, FrontPage, Publisher and Works Suite, according to the alert. It could allow a malicious user to arbitrarily run code on a comprised PC. Patches are available via the bulletin.
Another Office-related buffer overflow vulnerability -- ranked "moderate" -- could also allow arbitrary code execution after a PC user opens a maliciously crafted document by using the "Snapshot Viewer" tool that's included in Microsoft's Access database application. The flaw affects Access 2002, 2000 and 97, and is fixed by a patch.
The final flaw -- ranked as a "low" threat -- involves the NetBIOS (Network Basic Input/Output System) networking component included in recent versions of the Windows operating system. Under certain conditions, a response to a network query could include random data from the PC's memory, possibly revealing sensitive data. The flaw uses PC resources normally blocked by the Internet Connection Firewall security software included in recent versions of Windows, according to the bulletin.
Microsoft has come under increasing scrutiny for its frequent security alerts, as the software giant tries to build confidence in its software through its Trustworthy Computing initiative.
Talkback
Being as we are entering an age of full interconnectivity, a place where portable systems will be connected to servers which will in turn be connected to PBX's, desktop systems, fridges, MPEG players, etc, trust (security) is going to be even more important in the time to come.
The one thing that would be truly frightening is if, in a homogenous environment -(the type it seems Microsoft wishes for us all)- when a virus is discovered, each and every gadget from office to homes has to be patched over and over again. This, of course, is to be expected considering the fact that code migration across OS types does indeed occur - That is why Blaster had such a wide spread over Microsoft OS' releases.
One can only envisage, that to solve the above problem, instead of creating better software architectural principles that attack the core of this issue, Microsoft will try even harder to gain control of client systems - which will lead to a whole new set of problems, most especially when a new point of super centralised control is established, giving a convinient point of access for hackers and the like.
Anyway, things can always be blamed on the hackers, or 3rd party developers, or users, or.....
Well on the positive side at least they appear to be making the eftort to tell us about the problems now. Maybe the future is bright and multicoloured and people will recall that diversity leads to resiliance, if at the price of a pain in the neck for the admin people ; )