Last Updated: 2006-07-11 22:01:12 UTC
by Deborah Hale (Version: 2)
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)Microsoft Bulletin MS06-038
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately
Security Update Replacement: None
This Security Bulletin covers multiple CVE items as indicated below:
CVE-2006-1316 ? Microsoft Office Parsing Vulnerability
CVE-2006-1540 ? Microsoft Office Malformed String Parsing Vulnerability
CVE-2006-2389 ? Microsoft Office Property Vulnerability
This is another remote code execution problem and appears to impact Office 2000 applications the worse lending to a critical assessment. The other versions of Office identified as vulnerable are listed as important for all three of the CVE's.
A remote code execution vulnerability exists in Office, and could be exploited when a malformed string included in an Office file was parsed by any of the affected Office applications. Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious web site. Viewing or previewing a malformed email message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution.