Microsoft plugs Office 2000 security hole

Microsoft has issued a patch for a security hole in Office 2000, which while not critical, places a heavy burden on major users.

The vulnerability could allow a user to construct a HTML file that, when read, would crash an Office 2000 application and then potentially run malicious code.

The problem affects Word, Excel and Powerpoint components of the Office 2000 suite. Previous versions of these products and Macintosh users are not affected.

However, security experts said while the vulnerability is embarrassing for Microsoft, it would be difficult to exploit the flaw to either break into computers or spread viruses.

Mathew Bevan, a former hacker who is now an independent security consultant, said: "There are many things people can do to cause an application to fail, but it would be difficult for people to use this to execute arbitrary or malicious code."

David Butler, a senior security analyst at Axent, said it is very difficult to roll out security updates and is time consuming for support staff. He said the quickest way to respond would be to install perimeter defence measures, such as content checking software.

The problem stems from the ability of Office 2000 applications to read HTML files saved as Office documents. A malformed data object tag, which is an attribute that refers to other objects such as ActiveX controls, embedded in one of these documents could cause the Office application to crash and allow arbitrary code to be executed.

However, for this to happen a malicious user would need to entice a user into opening a malformed Office document.

Word 2000 users can protect themselves from opening malformed HTML documents within Word by enabling 'Confirm conversion at Open' from the Tools-Options-General tab.

In addition, Outlook users who have applied the Outlook Security Update, which was issued in response to concerns after the spread of the Love Bug virus, will be prompted before opening web hosted or mail-borne Office documents.

Graham Cluley, of antivirus software vendor Sophos, said security bulletins from Microsoft are now being sent out almost daily and while the Office 2000 vulnerability is unlikely to be a vector for virus propagation, the volume of such alerts is a strain on end users.

"We're seeing these bulletins almost daily. It's not something that is likely to transmit on its own. I don't think it's of Kakworm or Love Bug importance, the nuisance is rolling these patches out through the organisation," he said.