CNET News.com: Microsoft patches bugs amid criticismJul 18, 2000, 14:21 (1 Talkback[s])
(Other stories by Paul Festa)
"Microsoft has addressed security vulnerabilities in its Office 2000 applications, including one an Internet security group described as perhaps the "most dangerous programming error" by the software company to date. Microsoft issued patches for what it named the "Office HTML Script" vulnerability affecting Excel, PowerPoint 2000 and PowerPoint 97. The company also recommended a workaround for the "IE Script" bug that affects its Access database management software."
"The Access vulnerability elicited the special alert from the System Administration, Networking and Security (SANS) Institute, which warned that Access users are "vulnerable to total compromise simply by previewing or reading an email (without opening any attachments)." The institute also offered a $500 bounty for the first "practical automated solution that companies can use quickly, easily and (relatively) painlessly to protect all vulnerable systems."
"The IE Script bug lets attackers use ActiveX controls to embed Visual Basic scripts in Access files when victims visit maliciously designed Web pages or open maliciously designed HTML email. Such an exploit, which forces IE to download the Access file and open it along with the Visual Basic code, can yield "full control" of the victim's computer, its discoverer warned."