COMMAND

    MS Word and MS Access

SYSTEMS AFFECTED

    MS Word and MS Access 2000 (with or without Service Release 1a)

PROBLEM

    Georgi  Guninski  found  following.   MS  Word  and MS Access 2000
    (with or  without Service  Release 1a)  allow executing  arbitrary
    programs if  a Word  document is  opened.   This may  be exploited
    also by  visiting a  web page  with IE  or opening/previewing HTML
    email message with Outlook.  In order this to work, the user  must
    be able  to access  a mdb  file, which  resides either  on an  UNC
    share or  a local  drive.   This allows  taking full  control over
    user's computer.

    The  problem  is  MS  Word  accepts  an  Access database as a data
    source  in  Mail  Merge.   Worse,  Word  opens  the  database  and
    executes VBA in  forms that are  opened at database  startup.  VBA
    allows executing arbitrary programs.

    How to reproduce:

    1) Create a  db4.mdb file which  opens a form  at database startup
       and executes VBA code in the form.
    2) Place a copy of db4.mdb in C:\ (for example), you may place  it
       on a UNC share.
    3) Open a Word document.
    4) Select Tools->Mail Merge->Create->Mailing Labels->New Main Document
    5) Select GetData->Open Data Source
    6) Choose C:\db4.mdb
    7) The rest of the wizard is trivial, you must save the new document.

    Sample files are available:

        http://www.nat.bg/~joro/wordaccess.doc
        http://www.nat.bg/~joro/db4.mdb

    This is completely different issue from "Georgi Guninski  security
    advisory  #14,  2000"  "IE  5  and  Access  2000  vulnerability  -
    executing programs", which needs IE and ActiveX, while the current
    bug is in Word/Access.

    -----------in Form1 of db4.mdb---------------------
    Private Sub Form_Load()
    On Error GoTo Err_Command0_Click
        Dim stAppName As String
        stAppName = "C:\Program Files\Accessories\wordpad.exe"
        MsgBox ("Trying to start: " & stAppName)
        Call Shell(stAppName, 1)

    Exit_Command0_Click:
        Exit Sub

    Err_Command0_Click:
        MsgBox Err.Description
        Resume Exit_Command0_Click
    End Sub

    Form1 is automatically opened at database startup.  You must  have
    a table in the database.

SOLUTION

    I believe that following covers this issue:

        http://www.microsoft.com/windows/ie/download/critical/patch11.htm