Microsoft Security Bulletin (MS00-022)

[secnotif () MICROSOFT COM (Microsoft Product Security)]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

Microsoft Security Bulletin (MS00-022)
- --------------------------------------

Patch Available for "XLM Text Macro" Vulnerability

Originally Posted: April 03, 2000

Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Excel. The vulnerability could allow  a
macro to run without generating the expected security warning.

Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/technet/security/bulletin/fq00-022.asp.

Issue
=====
When an Excel user starts a macro that resides outside of the current
spreadsheet (for example, in another spreadsheet),  Excel by design
will generate a warning dialogue. However, this dialogue is not
generated if the macro consists of Excel 4.0  Macro Language (XLM)
commands in an external text file.

The vulnerability only affects whether a warning dialogue is displayed
- - it does not change any other aspects of the macro's  operation. A
malicious user would need to entice a user into accepting the
spreadsheet and opening it. Further, there is no  means to
"autolaunch" such a macro, so the malicious user would need to entice
the user into clicking a link into to launch  the macro.

Affected Software Versions
==========================
 - Microsoft Excel 97
 - Microsoft Excel 2000

Note: Excel ships as a stand-alone product, and also as a member of
the Office family.

Note: Previous versions of Excel may be affected by this
vulnerability. The recommended course of action for customers using
these products is to upgrade to either Excel 97 or 2000, and apply the
patch for them.

Patch Availability
==================
 - Excel 97:
   http://www.officeupdate.com/downloadDetails/Xl8p9pkg.htm?
      s=/downloadCatalog/dldExcel.asp
   Note: A line break has been inserted into the above URL
      for readability.
   Note: This patch requires Office 97 Service Release 2
 - Excel 2000:
   This vulnerability is eliminated in Office Service Release 1,
   which is available at
   http://www.officeupdate.com/2000/downloadDetails/O2kSR1DDL.htm

Note: Additional security patches are available at the Microsoft
Download Center.

More Information
================
Please see the following references for more information related to
this issue.
 - Microsoft Security Bulletin MS00-022: Frequently Asked Questions,
   http://www.microsoft.com/technet/security/bulletin/fq00-022.asp
 - Microsoft Knowledge Base (KB) article Q255605,
   XL2000: Macro Virus Warning Does Not Appear When You Open a Text
   File That Contains XLM Code,
   http://www.microsoft.com/technet/support/kb.asp?ID=255605.
 - Microsoft Knowledge Base (KB) article Q255606,
   XL97: Macro Virus Warning Does Not Appear When You Open a Text
   File That Contains XLM Code,
   http://www.microsoft.com/technet/support/kb.asp?ID=255606.
 - Microsoft TechNet Security web site,
   http://www.microsoft.com/technet/security/default.asp.

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft thanks Darryl Higa for reporting this issue to us and
working with us to protect customers.

Revisions
=========
April 03, 2000: Bulletin Created.

- ----------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT  DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR  PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT,  INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.

Last updated April 3, 2000
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQEVAwUBOOkgAY0ZSRQxA/UrAQFfegf+L4Q2XGZDDnHDACRI0Tc4jKwkY9f1zYuH
yXbG+oKLyjC7dWLU8XngkoNCJM7D8gIXVbkZuUIPj/sq993Dvx1LiA9FkcKQDWUz
ve72/boyj9fhHpgP7OvYF6dZxEWKQ1UMqQ+BSeMQXemw1foA1/46Va/I6GYpkcGo
dkL5L3wuKw4key2Wv6j1yzMPccrMbM7us943GuuFBkY2FBAtc0kOR1ejYO0lDcxM
lzXPhqbdfvBUg3w7Rsy9t6CI+U/mh6gAg22CLHFMGblfyGYNXef8K70LQXFws9bl
LZLnDbdOb+l9KGHuaIbTGIVYACZvBRtHs7YywhIe9ERfA4g6hSUR5A==
=g18I
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.