Excellent piece of Microsoft software... Can't even install it on Word 2002 German on WinXP German. The patch says (translated) "did not find the product expected". I then tried the office update site. That fails with an general error, telling me I should review my security settings.
Bottom line: nice patch, but can't install... Am I now guilty of lazyness if I do not patch? Anyone else with similar problems? Rainer Gerhards > -----Original Message----- > From: Microsoft > [mailto:[EMAIL PROTECTED] > tters.Microsoft.com] > Sent: Thursday, September 04, 2003 6:41 AM > To: Rainer Gerhards > Subject: Microsoft Security Bulletin MS03-035: Flaw in > Microsoft Word Could Enable Macros to Run Automatically(827653) > > > -----BEGIN PGP SIGNED MESSAGE----- > > - ------------------------------------------------------------------- > Title: Flaw in Microsoft Word Could Enable Macros to Run > Automatically (827653) > Date: September 3, 2003 > Software: Microsoft Word 97 > Microsoft Word 98 (J) > Microsoft Word 2000 > Microsoft Word 2002 > Microsoft Works Suite 2001 > Microsoft Works Suite 2002 > Microsoft Works Suite 2003 > Impact: Run macros without warning > Max Risk: Important > Bulletin: MS03-035 > > Microsoft encourages customers to review the Security Bulletins at: > > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp > http://www.microsoft.com/security/security_bulletins/MS03-035.asp > > - ------------------------------------------------------------------- > > Issue: > ====== > A macro is a series of commands and instructions that can be > grouped together as a single command to accomplish a task > automatically. Microsoft Word supports the use of macros to allow > the automation of commonly performed tasks. Since macros are > executable code it is possible to misuse them, so Microsoft Word > has a security model designed to validate whether a macro should be > allowed to execute depending on the level of macro security the > user has chosen. > > A vulnerability exists because it is possible for an attacker to > craft a malicious document that will bypass the macro security > model. If the document was opened, this flaw could allow a > malicious macro embedded in the document to be executed > automatically, regardless of the level at which macro security is > set. The malicious macro could take the same actions that the user > had permissions to carry out, such as adding, changing or deleting > data or files, communicating with a web site or formatting the hard > drive. > > The vulnerability could only be exploited by an attacker who > persuaded a user to open a malicious document - there is no way for > an attacker to force a malicious document to be opened. > > Mitigating Factors: > ==================== > - The user must open the malicious document for an attacker to be > successful. An attacker cannot force the document to be opened > automatically. > > - The vulnerability cannot be exploited automatically through e- > mail. A user must open an attachment sent in e-mail for an e- > mail borne attack to be successful. > > - By default, Outlook 2002 block programmatic access to the > Address Book. In addition, Outlook 98 and 2000 block > programmatic access to the Outlook Address Book if the Outlook > Email Security Update has been installed. Customers who use any > of these products would not be at risk of propagating an e-mail > borne attack that attempted to exploit this vulnerability. > > - The vulnerability only affects Microsoft Word - other members of > the Office product family are not affected. > > Risk Rating: > ============ > -Important > > Patch Availability: > =================== > - A patch is available to fix this vulnerability. Please read the > Security Bulletins at > > http://www.microsoft.com/technet/security/bulletin/MS03-035.asp > http://www.microsoft.com/security/security_bulletins/MS03-035.asp > > for information on obtaining this patch. > > Acknowledgment: > =============== > - Jim Bassett of Practitioners Publishing Company > (http://www.ppcnet.com) > - ------------------------------------------------------------------- > > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS > ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES > OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO > EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR > ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, > CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF > MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE > POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION > OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES > SO THE FOREGOING LIMITATION MAY NOT APPLY. > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0.2 > > iQEVAwUBP1UvR40ZSRQxA/UrAQE0jwf8Dzm8/NCPSiH+BP7ePKRl66a9rawIDdlu > V+52lARZNbRkBNU00U8ImEzilgfIbgj0HZkcb4GpaQLUsPbYSuyiyu9PrKn0i+/j > JTaZOg48YJYZzhFOq+drUAMmwMQAkD3xb9fCrSxqET4/K4/55qiJW5uyOlH9RZ3K > BS6fhpmrQhOHGRU1gxWDbnRwWZmaqqMCr4WlGJZKZRH3L6kXwEfoH77Xq/v8BiXC > y0a6YqMpmA/Jd3Dpx8ByQBMTEfr2eHmMR9WDBowCip4iQ+p/Qorn8q6JpVlm8mhr > G+fCshh3bCiniTX5cXt+9B4yVqnpYXHefB0Vt5mfi6/bavgbiqdt4A== > =ZJEd > -----END PGP SIGNATURE----- > > > > ******************************************************************* > > You have received this e-mail bulletin because of your > subscription to the Microsoft Product Security Notification > Service. For more information on this service, please visit > http://www.microsoft.com/technet/security/noti> fy.asp. > > To > verify the digital signature on this bulletin, > please download our PGP key at > http://www.microsoft.com/technet/security/noti> fy.asp. > > To > unsubscribe from the Microsoft Security > Notification Service, please visit the Microsoft Profile > Center at http://register.microsoft.com/regsys/pic.asp > > If you do not wish to use Microsoft Passport, you can > unsubscribe from the Microsoft Security Notification Service > via email as described below: > Reply to this message with the word UNSUBSCRIBE in the Subject line. > > For security-related information about Microsoft products, > please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
