Critical security bulletins have been issued for vulnerabilities in Microsoft's Visual Basic for Applications (VBA) and Remote Procedure Call (RPC) software. Both vulnerabilities could leave systems exposed to takeover by malicious code, and require immediate corrective action, even if customers think it unlikely that a sophisticated programmer can exploit the VBA vulnerability, and even if they already patched RPC to address the Blaster worm. VBA and RPC are found on most computers running Microsoft OSs and applications.

VBA Vulnerability

VBA allows developers and users to develop new applications, integrate different applications, and automate features of existing applications with scripts that can be integrated into common applications and are easier to write and install than executable programs. The best-known use of VBA is in some components of Microsoft Office, but Microsoft has also licensed VBA to other software developers.

The vulnerability is a buffer overflow in code that VBA uses to check document properties when a document is opened.

For an attack to be successful, a user would have to open a specially crafted document sent to them by an attacker. This document could be any type of document that supports VBA, such as a Word document, Excel spreadsheet, or PowerPoint presentation. Note that disabling VBA macros in Office documents does not protect the user against the attack.

The list of affected Microsoft software includes the following:

• Visual Basic for Applications SDKs 5.0, 6.0, 6.2, and 6.3
• Access, Excel, PowerPoint, and Word 97, 2000, 2002
• Project and Visio 2000 and 2002
• Publisher 2002
• Works Suite 2001, 2002, and 2003
• Great Plains 7.5
• Dynamics 6.0 and 7.0
• eEnterprise 6.0 and 7.0
• Solomon 4.5, 5.0, and 5.5.

As was the case with the desktop version of SQL Server (MSDE), which was exploited by the Slammer worm, customers may be surprised by the number of places that VBA is used in their organizations, and they should be aware that software from other vendors not listed above could also use VBA and be vulnerable.

RPC Vulnerability

RPC is used by Windows to allow a program running on one computer to seamlessly access services on another computer.

After Blaster attacked the RPC service, further examination identified three new vulnerabilities.

The affected software includes the following:

• Windows NT Workstation, Server and Terminal Server Edition 4.0
• Windows 2000
• Windows XP
• Windows Server 2003.

Windows Millennium Edition (Me) is not affected.

Note: The patch for Blaster does not provide protection against these new vulnerabilities, but the new patch also protects against Blaster.

Resources

For more information on addressing the VBA vulnerability, see www.microsoft.com/security/security_bulletins/ms03-037.asp.

For more information on addressing the RPC vulnerability, see www.microsoft.com/security/security_bulletins/ms03-039.asp.