MS03-037: Flaw in Visual Basic for Applications could allow arbitrary code execution

Microsoft Visual Basic for Applications (VBA) is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and use it to perform certain functions. You can use VBA to build customized programs that are based on an existing host program.

A flaw exists in the way VBA checks document properties passed to it when a document is opened by the host program. A buffer overrun exists which, if exploited successfully, could allow an attacker to execute code of their choice in the context of the logged on user.

For an attack to be successful, the logged on user would have to open a specially crafted document that was sent to them by an attacker. This document could be any type of document that supports VBA, such as a Microsoft Word document, a Microsoft Excel spreadsheet, or a Microsoft PowerPoint presentation. If Word is being used as the HTML e-mail editor for Microsoft Outlook, this document could be an e-mail message. However, the logged on user must reply to or forward the malicious e-mail message for the vulnerability to be exploited.

Mitigating factors

• Logged-on users must open a document that is sent to them by an attacker for this vulnerability to be exploited.
• If Word is being used as the HTML e-mail editor in Outlook, users must reply to or forward a malicious e-mail message that was sent to them by the attacker for this vulnerability to be exploited.
• An attacker's code could only run with the same rights as the logged-on user. The specific privileges that the attacker could gain through this vulnerability would therefore depend on the privileges that are granted to the user who is logged on. Any limitations on the account of the user who is logged on , such as those applied through Group Policies, would also limit the actions of any arbitrary code that is executed by this vulnerability.

Security patch information

Download and installation information

If you are using any of the following programs, you should apply the VBA version of this patch:

• Microsoft VBA 5.0
• Microsoft VBA 6.0
• Microsoft VBA 6.2
• Microsoft VBA 6.3
• Microsoft Access 97
• Microsoft Excel 97
• Microsoft PowerPoint 97
• Microsoft Word 97
• Microsoft Word 98(J)
• Microsoft Works 2001
• Microsoft Works 2002
• Microsoft Works Suite 2003
• Microsoft Business Solutions Great Plains 7.5
• Microsoft Business Solutions Great Plains 7.0
• Microsoft Business Solutions Great Plains 6.0
• Microsoft Business Solutions Solomon IV 4.5
• Microsoft Business Solutions Solomon IV 5.0
• Microsoft Business Solutions Solomon IV 5.5

For more information about the Microsoft VBA patch, click the following article number to view the article in the Microsoft Knowledge Base: If you are using any of the following programs, you should apply the specific version of the patch for those products.

• Microsoft Project 2000
• Microsoft Project 2002
• Microsoft Visio 2002

For more information about these security patches, click the following article numbers to view the articles in the Microsoft Knowledge Base: If you are using any of the following programs, you should apply the specific version of the patch for those products.

• Microsoft Office 2000
• Microsoft Office XP (including Microsoft Publisher 2002)

For more information about these security patches, click the following article numbers to view the articles in the Microsoft Knowledge Base:

Removal information

You cannot remove this patch.

Patch replacement information

This patch does not replace any other hotfixes.

For more information about these vulnerabilities, visit the following Microsoft Web site: