Microsoft KB Archive/822150

= VBA: Availability of the Microsoft VBA Security Update MS03-037 =

Article ID: 822150

Article Last Modified on 7/18/2007

-

APPLIES TO


 * Microsoft Access 97 Standard Edition
 * Microsoft Excel 97 Standard Edition
 * Microsoft Office 97 Standard Edition
 * Microsoft PowerPoint 97 Standard Edition
 * Microsoft Visio 2000 Enterprise Edition
 * Microsoft Visio 2000 Professional Edition
 * Microsoft Visio 2000 Standard Edition
 * Microsoft Visio 2000 Technical Edition
 * Microsoft Word 97 Standard Edition
 * Microsoft Word 98 Standard Edition
 * Microsoft Works Suite 2003
 * Microsoft Works Suite 2002
 * Microsoft Works Suite 2001
 * Microsoft Visual Basic for Applications (VBA) Software Development Kit (SDK) 6.3
 * Microsoft Visual Basic for Applications (VBA) Software Development Kit (SDK) 6.2
 * Microsoft Visual Basic for Applications (VBA) Software Development Kit (SDK) 6.1
 * Microsoft Visual Basic for Applications (VBA) Software Development Kit (SDK) 6.0
 * Microsoft Visual Basic for Applications (VBA) Software Development Kit (SDK) 5.0

-





SUMMARY
A flaw exists in the project-loading code for Visual Basic for Applications (VBA). If the flaw is exploited successfully, this may permit an attacker to run code of their choice in the context of a logged-on user. The problem occurs because of a buffer overrun vulnerability in the way that VBA reads document properties that are passed to it by the host application. For the vulnerability to be exploited successfully, you have to open a specially-crafted document that is sent to you by an attacker. This document can be any type of document that supports VBA integration.

Mitigating Factors

 * You must open the document that is sent to you by an attacker for this vulnerability to be exploited.
 * If you use Word as the HTML e-mail editor for Microsoft Outlook, the mail message itself may contain the flaw. However, you must reply to open the mail message or forward the mail message for the vulnerability to occur.
 * The code of the attacker can only run with the same rights that you have as the logged-on user. The specific administrative credentials that the attacker can gain through this vulnerability therefore depend on the administrative credentials that are granted to you. Any limitations to your account, such as administrative credentials that are applied through Group Policies, also limit the actions of any arbitrary code that is run by this vulnerability.



Microsoft Office 2000, Microsoft Office XP, Microsoft Visio 2002
If you use Office 2000, Office XP, Visio 2002, or individual Office products that are not previously listed, you must use one of the custom update security patches for these products. These updates are designed to make sure that correct patching occurs when you use Install on Demand and Detect and Repair in Office setup. Microsoft recommends that you use this method for updating these products.

For additional information about these packages, click the following article number to view the article in the Microsoft Knowledge Base:

822715 MS03-037: Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution

Microsoft Works Suite
If you use Microsoft Works Suite, Microsoft recommends that you install the security patch by using the Office Product Updates Web site. The Office Product Updates Web site detects your particular Office installation and then prompts you to install exactly what you must have to make sure that your Office installation is completely up-to-date.

For additional information about Office Product Updates and to detect the required updates that you must install on your computer, visit the following Microsoft Web site:

http://office.microsoft.com/ProductUpdates/default.aspx

After detection is complete, you receive a list of recommended updates for your approval. Click Start Installation to complete the process.

Note If you are using Microsoft Works Suite, you may also update your system with the security patch that is available from this article.

Microsoft Visio 2000 or Microsoft Office 97
If you are using Visio 2000 or Office 97, you must immediately update your system with the security patch that is available from this article.

Note If you use a Microsoft Office 2003 family product, you have this security patch already, and you do not have to update your system.

Security Patch Information
The following security patch is intended for any application that has integrated VBA by using the Microsoft Visual Basic for Applications Software Development Kit (VBA SDK) version 5.0, version 6.0, version 6.1, version 6.2, or version 6.3. Microsoft recommends that companies that have licensed and that have built VBA-enabled applications must use this security patch for all new installations. Those companies may freely distribute the fix and the files in a manner that is suitable for their application setup.

Microsoft recommends that all VBA clients must update their version of the VBA engine (VBE or VBE6) as soon as possible. Clients who have a VBA-enabled application must contact the application maker to verify if a specialized security patch or an inclusive update is available for that application. If a specialized security patch or an inclusive update is not yet available, or if the product is one of the previous Microsoft products, you must download and then install the following security patch.

The following files are available for download from the Microsoft Download Center:

Download the VBA64-KB822150-X86-ENU.exe package now.

Release Date: September 3, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
None.

Installation Information
Close all applications that use VBA, and then run the update. You are prompted to confirm the setup. You do have to restart unless VBA is in use by another process. Developers who want to obtain the security patched version of VBE or VBE6 without installing the security patch can do so by using the appropriate Setup switch.

This security patch supports the following Setup switches:
 * /q: Quiet mode (Suppresses dialog boxes when files are being extracted.)
 * /q:u: Quiet mode (There is limited prompting to the user.)
 * /q:a: Administrative Quiet mode (There are no dialog boxes.)
 * /c: Extract files without installing them. (If the /t switch is not present, you are prompted for the path.)
 * /t:[path]: Path of the extract files (This is used with the /c switch.)
 * /r:a: Always restart the computer after installation.
 * /r:n: Never restart the computer after installation.
 * /r:s: Restart the computer without prompting the user.
 * /n:v: No version checking (Always install over the existing version.)

Note You can combine these Setup switches in one command line.

There is no feature to remove this security patch. If you must roll back the security patch, you must rename your existing copies of VBE or VBE6 before you run the setup.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Applications That Use VBA 6.0 (or later)

  Date         Time   Version             Size   File name --  04-Jun-2003  15:42                      8,725  Eula.txt 03-Jul-2003 20:19  6.4.99.69       2,502,656  Vbe6.dll

Applications That Use VBA 5.0

  Date         Time   Version          Size   File name --  11-Jun-2003  15:05  5.0.78.15      749,568  Vbe.dll 04-Jun-2003 10:42                   8,725  Eula.txt



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
For additional information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-037.mspx

VBA may be used in a number of non-Microsoft products that may also be vulnerable. Microsoft does not maintain a complete list of all third party products that use VBA, but the following Web site lists the most common licensing partners and their products that integrate VBA:

http://msdn2.microsoft.com/en-us/isv/Bb190538.aspx

If you have any of these products and you have not received an update from the manufacturer, you must run the security patch that is provided by this article.

For additional information about the Microsoft Visual Basic for Applications SDK or for additional information about licensing VBA for your custom application, visit the following Microsoft Web site:

http://msdn.microsoft.com/vba/

Keywords: kbdownload kbqfe kbsecvulnerability kbsecurity kbsecbulletin kbbug kbupdate kbfix KB822150

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.