“Microsoft has addressed security vulnerabilities in its
Office 2000 applications, including one an Internet security group
described as perhaps the “most dangerous programming error” by the
software company to date. Microsoft issued patches for what it
named the “Office HTML Script” vulnerability affecting Excel,
PowerPoint 2000 and PowerPoint 97. The company also recommended a
workaround for the “IE Script” bug that affects its Access database
management software.”
“The Access vulnerability elicited the special alert from the
System Administration, Networking and Security (SANS) Institute,
which warned that Access users are “vulnerable to total compromise
simply by previewing or reading an email (without opening any
attachments).” The institute also offered a $500 bounty for the
first “practical automated solution that companies can use quickly,
easily and (relatively) painlessly to protect all vulnerable
systems.”
“The IE Script bug lets attackers use ActiveX controls to embed
Visual Basic scripts in Access files when victims visit maliciously
designed Web pages or open maliciously designed HTML email. Such an
exploit, which forces IE to download the Access file and open it
along with the Visual Basic code, can yield “full control” of the
victim’s computer, its discoverer warned.”