Microsoft Patches Critical VBA Flaw

Flaw could allow an attacker to execute arbitrary code on a vulnerable server.

Microsoft Corp. on Wednesday issued a patch for a critical vulnerability in its Visual Basic for Applications SDK, which could allow an attacker to execute arbitrary code on a vulnerable server.

The weakness exists in the way that VBA looks at the properties of documents passed to it when the document is opened by a host application. There is a buffer overrun in this process, which an attacker could exploit to run code.

For the attack to work, a user would have to open a malicious document that the attacker sends. But this could happen with any document format that supports VBA, including Word, Excel or PowerPoint.

VBA is based on the Visual Basic development environment and is used to develop desktop applications and integrate them with existing systems. This vulnerability affects VBA SDK versions 5, 6, 6.2 and 6.3. The patch for this flaw is located here.

Microsoft, based in Redmond, Wash., also released patches for four other less severe vulnerabilities in Access, the WordPerfect converter technology, Word and NetBIOS.

Discuss this in the eWeek forum.