BOSTON (05/26/2000) - The Computer Emergency Response Team (CERT), a group at Pittsburgh-based Carnegie Mellon University that monitors security issues, last week urged users to immediately install a Microsoft Corp. patch relating to a previously revealed security hole in Office 2000.
The flaw was first revealed by Boston-based security firm @Stake Inc. L0pht Research Labs on May 12.
The vulnerability made it possible for a malicious intruder to disable macro warnings in Office products, reduce security levels and execute arbitrary code that could spread itself to all the users listed in the Outlook 2000 address book. The problem originated with a Microsoft Office UA ActiveX control that shipped with Office 2000 and component software.
Although Microsoft quickly released a patch addressing the issue on May 15 [Computerworld Online, May 17], CERT post ed the advisory last week because "we wanted to make sure the community knows about what a serious issue it is," a CERT spokes man said.
"Our advice does differ somewhat from what Microsoft put out, and there have been some disagreements as to technically what is going on here with this issue," the spokes man added.
For instance, a Microsoft posting on the subject said users who have set their e-mail to run in the Restricted Zone on Outlook wouldn't be affected by the vulnerability.
Patch Still Needed
However, that alone may not be sufficient to protect users from this vulnerability if the patch for the Office 2000 UA Control hasn't been applied, said Cory Cohen, a member of CERT's technical team.
"A user can send a piece of malicious script in Outlook that can start Internet Explorer and let it do a lot of bad things," Cohen said.
The Microsoft patch appears to fix the problem and must be applied by users "as soon as possible," Cohen said. The patch is available at http://officeupdate.microsoft.com/info/ocx.htm.
In an e-mail response to Computerworld, a Microsoft spokeswoman wrote, "To date, this is a purely theoretical issue and no customers have reported the problem to Microsoft."