COMMAND

    Forms 2.0 TextBox

SYSTEMS AFFECTED

    - Microsoft Office 97
    - Microsot Outlook 98
    - Microsoft Project 98
    - Microsoft Visual Basic 5.0
    - Any third-party product that includes Visual Basic for Applications 5.0

PROBLEM

    Following  is  based  on  Microsoft  Security Bulletin.  There's a
    vulnerability in the Forms 2.0  ActiveX control.  This control  is
    distributed  in  any  application  that  includes Visual Basic for
    Applications 5.0.   A malicious  hacker could  use the  Forms  2.0
    Control to  read or  export text  on a  user's Clipboard when that
    user visits a web site set  up by the malicious hacker or  opens a
    HTML email created by the malicious hacker.

    The Forms 2.0 ActiveX control has a vulnerability that allows text
    to be pasted from a user's Clipboard into a Forms 2.0 Text Box  or
    Combo Box.  This  control is installed as  a standard part of  the
    applications listed in the  "Affected Products" section below.   A
    malicious hacker could use the Forms 2.0 Control to read or export
    text on a user's Clipboard when that user visits a web site set up
    by  the  malicious  hacker  or  opens  a HTML email created by the
    malicious hacker.   Microsoft wishes  to acknowledge  Juan  Carlos
    Garcia Cuartango of Spain  for discovering this vulnerability  and
    for his continued assistance and input.  The script making  public
    the clipboard is very simple:

        function GetClipBoard()
        {
        tb.paste();                          // paste over the MS Forms 2.0 TextBox
        document.forms(0).S1.value=tb.text;  // moves the text to the text area box
        }

SOLUTION

    The Forms  2.0 Security  Patch prevents  a hacker  from exploiting
    this vulnerability.   Those who  install the  patch will  not lose
    functionality and will  still have the  ability to manually  paste
    content from their Clipboard to a Forms 2.0 Text Box or Combo Box.
    Developers  who  have  built  VBA  solutions  using  the Forms 2.0
    Control will  still be  able to  paste into  Text Boxes  and Combo
    Boxes.  To determine whether you need to download and install  the
    security fix right-click the Fm20.dll file in your \Windows\System
    folder and choose  Properties on the  shortcut menu.   If the file
    date of your FM20.dll file  is earlier than January 11,  1999, you
    should  download  and  install  the  security  fix.  Customers can
    obtain the patch from the  free Office Update service.   To obtain
    this patch using Office Update, visit the Office Update site at:

        http://officeupdate.microsoft.com/downloaddetails/fm2paste.htm