July 18, 2000 5:00 AM PDT
Microsoft patches bugs amid criticism
- Related Stories
Analysts predict ho-hum earnings for MicrosoftJuly 18, 2000
Software bugs chew through Microsoft IE, OutlookJune 28, 2000
Microsoft criticized for lack of software securityMay 5, 2000
Microsoft issued patches for what it named the "Office HTML Script" vulnerability affecting Excel 2000, PowerPoint 2000 and PowerPoint 97. The company also recommended a workaround for the "IE Script" bug that affects its Access database management software.
The Access vulnerability elicited the special alert from the System Administration, Networking and Security (SANS) Institute, which warned that Access users are "vulnerable to total compromise simply by previewing or reading an email (without opening any attachments)."
The institute also offered a $500 bounty for the first "practical automated solution that companies can use quickly, easily and (relatively) painlessly to protect all vulnerable systems."
The IE Script bug lets attackers use ActiveX controls to embed Visual Basic scripts in Access files when victims visit maliciously designed Web pages or open maliciously designed HTML email. Such an exploit, which forces IE to download the Access file and open it along with the Visual Basic code, can yield "full control" of the victim's computer, its discoverer warned.
Microsoft said it is working on a patch for the Access problem, which first came to light last month after Bulgarian bug hunter Georgi Guninski posted demonstrations along with news of the Excel and PowerPoint vulnerabilities.
In the meantime, Microsoft recommended a workaround for the Access flaw, described on its frequently asked questions page on the bugs.
"The workaround for this vulnerability is to set an Administrator password for Microsoft Access," reads the notice. "This will cause Microsoft Access to prompt the user for the Administrator password before VBA code within an Access database can be executed."
The Excel and PowerPoint problem, which SANS deemed less severe, is that without the patch, the applications let a maliciously designed Web page or HTML email save hostile code to a victim's computer.
That kind of vulnerability could form the basis of a virus such as the destructive "Melissa" or "I Love You" viruses, which hobbled computer networks worldwide, security analysts warned when the bug was first reported.