Microsoft Word 97 / 2000 Mail Merge Code Execution Vulnerability

Microsoft Word will accept an Access database as a data source in a mail merge operation. VBA components of the specified database will also be read and executed, if they are in a form that is set up to be opened at startup. This includes VBA commands that can run arbitrary system commands. The specified database must be on the victim's local or networked drives, or on an accessible UNC share.

The .doc file must be opened by the victim. The method of delivery for this file (web, email, ftp etc) is irrelevant.

Reportedly, the fix Microsoft released for this issue only disallows the use of dotted UNC paths (such as \\x.y.z.w\). Therefore, it has been reported that this issue can still be exploited using absolute paths. This may be possible if the attacker uses a previously discovered vulnerability or social engineering techniques, to place the Word and Access documents in the same or known location.


Privacy Statement
Copyright 2010, SecurityFocus