Microsoft issues 'critical' VBA alert

Microsoft is warning customers of a 'critical' security flaw in its Visual Basic for Applications (VBA) technology which could allow hackers to take control of Windows PCs.

The company said that the buffer overflow issue in the VBA technology included in versions of Office creates a backdoor that could allow hackers to compromise a Windows system, read files and run programs.

"A flaw exists in the way VBA checks document properties passed to it when a document is opened by the host application," said Microsoft.

"A buffer overrun exists which, if exploited successfully, could allow an attacker to execute code of their choice in the context of the logged on user."

In order for an attack to be successful, a user would have to open a specially crafted document sent to them by an attacker.

"This document could be any type that supports VBA, such as a Word document, Excel spreadsheet or PowerPoint presentation," said the company.

If Word is being used as the HTML email editor for Outlook, the document could be an email. But the user would need to reply to or forward the mail message for the vulnerability to be exploited.

VBA is used for developing client desktop packaged applications and integrating them with existing data and systems.

Based on the Microsoft Visual Basic development system, it is used in Office products which make use of VBA to perform core functions.

VBA can also be used to build customised applications around an existing host application.

Microsoft has issued a patch for the flaw which can be found here.

Products affected by the bug include:

• VBA SDK 5.0, 6.0, 6.2, and 6.3
• Office 97, 2000, XP
• Word 98
• Visio 2000, 2002
• Project 2000, 2002
• Publisher 2002
• Works Suite 2001, 2002, 2003
• Business Solutions Great Plains 7.5
• Business Solutions Dynamics 6.0, 7.0
• Business Solutions eEnterprise 6.0, 7.0
• Business Solutions Solomon 4.5, 5.0, 5.5