COMMAND

    Word

SYSTEMS AFFECTED

    Word 97, 2000

PROBLEM

    Following is  based on  a Microsoft  Security Bulletin (MS00-071).
    If an Access database is specified  as a data source via DDE  in a
    Word mail merge  document, macro code  can run without  the user's
    approval when the user opens that document.

    If a user  could be enticed  into opening a  specially constructed
    mail merge Word document, which  was provided either as an  e-mail
    attachment or as a link hosted on a hostile web site, it would  be
    possible to  cause arbitrary  code to  run on  the user's machine.
    For such  an attack  to succeed,  the victim  would also  need the
    ability to reach  the Access database  via a UNC  share or file://
    protocol.   If the  user is  behind a  firewall and  security best
    practices have  been followed,  the ports  required to  access the
    database would be blocked.

SOLUTION

    Patch availability:

        - Microsoft Word 2000: http://officeupdate.microsoft.com/2000/downloadDetails/wrdacc.htm

    For Word 97 patch will be available shortly.