CERT-In Vulnerability Note CIVN-2006-80
Microsoft Visual Basic for Applications Buffer Overflow Vulnerability

Original Issue Date: August 09, 2006

Severity Rating: High

Systems Affected

• Microsoft Office 2000 Service Pack 3
• Microsoft Project 2000 Service Release 1
• Microsoft Access 2000 Runtime Service Pack 3
• Microsoft Office XP Service Pack 3
• Microsoft Project 2002 Service Pack 1
• Microsoft Visio 2002 Service Pack 2
• Microsoft Works Suites:
  • Microsoft Works Suite 2004
  • Microsoft Works Suite 2005
  • Microsoft Works Suite 2006
• Microsoft Visual Basic for Applications SDK 6.0
• Microsoft Visual Basic for Applications SDK 6.2
• Microsoft Visual Basic for Applications SDK 6.3
• Microsoft Visual Basic for Applications SDK 6.4

Overview

A buffer overflow vulnerability has been reported in Microsoft Visual Basic for Applications (VBA) which could allow an attacker to take complete control of the affected system.

Description

The vulnerability is caused due to a boundary error which occurs when VBA checks certain document properties that a host application passes to it when opening a document. This vulnerability could be exploited by an attacker when a host application passes unchecked parameters to VBA, causing a buffer overrun condition that could allow arbitrary code to be executed.

Solution

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-047.mspx

Refrences

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-047.mspx

FrSIRT
http://www.frsirt.com/english/advisories/2006/3214

Secunia
http://secunia.com/advisories/21408/

CVE Name
CVE-2006-3649

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003