Microsoft Security Bulletin MS06-038
Last Updated: 2006-07-11 22:01:12 UTC
by Deborah Hale (Version: 2)
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)Microsoft Bulletin MS06-038
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately
Security Update Replacement: None
This Security Bulletin covers multiple CVE items as indicated below:
CVE-2006-1316 ? Microsoft Office Parsing Vulnerability
CVE-2006-1540 ? Microsoft Office Malformed String Parsing Vulnerability
CVE-2006-2389 ? Microsoft Office Property Vulnerability
It appears that all of the Microsoft Office 2000, 2002, 2003 programs are affected. Not affected is Works applications.
This is another remote code execution problem and appears to impact Office 2000 applications the worse lending to a critical assessment. The other versions of Office identified as vulnerable are listed as important for all three of the CVE's.
A remote code execution vulnerability exists in Office, and could be exploited when a malformed string included in an Office file was parsed by any of the affected Office applications. Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious web site. Viewing or previewing a malformed email message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution.
In all three cases the only tested work around is NOT to open attachments from untrusted sources. I guess that means to apply the patch ASAP.