Security Bulletin

Microsoft Security Bulletin MS99-002 - Critical

Patch Available for "Word 97 Template" Vulnerability

Published: January 21, 1999

Version: 1.0

Originally Posted: January 21, 1999

Summary

Microsoft has released a patch that fixes a vulnerability in Word 97 which could permit macros to run without warning the user when the user opens a document based on a template containing macros. A malicious hacker could exploit this vulnerability to cause malicious macro code to be run without warning if a user opens a Word attachment that was sent by a malicious hacker, or posted on a web site controlled by the malicious hacker. This malicious macro could possibly be used to damage or retrieve data on a user's system.

A fully supported patch is available to fix this vulnerability, and Microsoft recommends that customers download and install it to protect their computers.

Issue

Now available for download, the Word 97 Template Security Patch addresses a vulnerability that could allow malicious macro code to be run in a Word 97 document without warning a user when the user opens the document.

A standard safety feature of Word 97 is that it warns users when a document containing macros is opened; however, if that document does not itself contain macros, but rather is linked to a template that does contains macros, no warning is issued. A malicious hacker could exploit this vulnerability to cause malicious macro code to run without warning if a user opens a Word document attached to an email sent by the malicious hacker, or if the user opens a Word document on a web site controlled by the malicious hacker. This malicious macro could possibly be used to damage or retrieve data on a user's system.

The Word 97 Template Security Patch prevents a hacker from exploiting this vulnerability. After installing the patch, users will be warned before they launch a document based on a template that contains macros. Installing the patch will not disable the use of templates or macros on templates.

While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to address any risks posed by this issue.

Affected Software Versions

The following software versions are affected:

  • Microsoft Word 97

Vulnerability Identifier: CAN-1999-0354

What Microsoft is Doing

Microsoft has released a patch that fixes the problem identified. This patch is available for download from the sites listed below in "What Customers Should Do".

Microsoft has made information about this patch available on the Microsoft Office web site>, and has sent information about the availability of this patch to ISV partners licensing VBA and registered Office users.

Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this issue:

(Note    It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.)

What customers should do

Microsoft highly recommends that all affected customers download the patch to protect their computers. The complete URL for each affected software version is given below.

Customers can obtain the patch from the free Office Update service. To obtain this patch using Office Update, visit the Office Update site at https://www.microsoft.com/download/details.aspx?FamilyID=48B0EB05-A735-45CE-814D-6F7EBB78BE73&displaylang;=EN

More Information

Please see the following references for more information related to this issue.

Acknowledgments

Microsoft would like to thank Woody's Office Watch and their reader, DavidF, for notifying us about this vulnerability.

Obtaining Support on this Issue

This is a supported patch. If you have problems installing this patch or require technical assistance with this patch, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see https:.

Revisions

  • January 21, 1999: Bulletin Created

For additional security-related information about Microsoft products, please visit https://www.microsoft.com/technet/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-18T13:49:36Z-07:00 </https:>