Microsoft has released Security Bulletin MS10-031 which resolves a privately reported vulnerability in Microsoft Visual Basic for Applications (VBA).
The complete Security Bulletin can be found here
Summit has made the updated version of the Visual Basic for Applications SDK that addresses the vulnerability described in this bulletin available here for independent software vendors (ISVs)
From the Security Bulletin...
Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213)
This security update resolves a privately reported vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. This security update is also rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The update addresses the vulnerability by modifying the way that Visual Basic for Applications searches for ActiveX Controls embedded in documents. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Developer Tools
[3]The updated version of the Visual Basic for Applications SDK that addresses the vulnerability described in this bulletin is available for independent software vendors (ISVs) from the Summit Software Company. For more information, see the next section, Frequently Asked Questions (FAQ) Related to This Security Update.
Posted
May 11 2010, 02:13 PM
by
dschneid