Home > Privacy, Security > Microsoft Patches Critical VBA Flaw Microsoft Patches Critical VBA Flaw Submitted by Marcel 2003-09-04 Privacy, Security 14 Comments An identified security issue in Microsoft Visual Basic for Applications could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. Windows and Office users should update their system. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 14 Comments 2003-09-04 3:04 pm It would be interesting to plot the curve of the frequency patches have been needed for Microsoft products over the past few years. I suspect we are approaching a vertical asymptote soon. 2003-09-04 3:05 pm Huf ! The patch is quite biiig !! ftp://ftp-mirror.internap.com/pub/debian-cd/i386 2003-09-04 3:06 pm on german heise.de there were FOUR announcements about critical MS-flaws today… 2003-09-04 3:07 pm Never. From the moment a computer is connected into a network, it is almost close to impossible to catch out ALL security holes during development. Linux distros are not much better either, just check Red Hat’s security bulletins. 2003-09-04 3:19 pm on german heise.de there were FOUR announcements about critical MS-flaws today… You missed one. On my bugtraq mailing-list, I received today : ( 95) Alert: Microsoft Security Bulletin – MS03-034 ( 93) Alert: Microsoft Security Bulletin – MS03-035 ( 98) Alert: Microsoft Security Bulletin – MS03-036 (121) Alert: Microsoft Security Bulletin – MS03-037 ( 84) Alert: Microsoft Security Bulletin – MS03-038 Buy I agree with ELQ. It’s not the number of security alers which is interesting, it’s * the time between a flaw was discover and the time the patch is available. Too often I see on the bugtraq mailing-list : Hole discover : day x Vendor notified : x+1 Vendor second notification : x+8 Security bulletin alert : x+15 * the proportion of users who apply the patch. Previous kit used to break things who worked, or to slow them incredibly. That’s why the admins in my compagny are reluctant to apply patch. 2003-09-04 3:26 pm (well… my post was a joke…) Of course I know it will never stop, but I was making the point that the _frequency_ of these seems to be increasing with Microsoft. I haven’t noticed critical Linux patches increasing in frequency every month. In fact, it seems that FreeBSD and OpenBSD patches have _decreased_ in frequency lately. (Not to mention, how many of the *nix vulnerabilities allow full root access to the system? Generally, once a Windows box is exploited, the system is wide open.) So, of course the network obviously affects security, but systems that are designed to take that into account have far less problems, and far lower frequency of need for emergency patches. Plotting the frequency of patches looks more like a wavy line than a continually rising curve. (Again, I’m not a statistician, just joking here, but I wonder what the real statistics are…) 2003-09-04 3:50 pm Microsoft has more holes in their systems than the moon has craters. So they’ve patched a whopping one more hole. At this rate if they don’t release any new versions of anything but just supply patches for security flaws, they’ll have things fixed by the year 2525. 2003-09-04 4:14 pm This article came out just last week… if its anywhere near being non-hypothetical, this could be just what was being waited for. http://www.nccomp.com/sysadmin/whatif-1.html 2003-09-04 4:15 pm 🙂 2003-09-04 4:49 pm Just wondering why there are not more article here on osnews.com like this. I recall seeing nothing on msblaast or sobig.f, so it is a nice surprise to see this. (I say ‘nice’ meaning it is nice to stay informed.) Also, what is up with all the trolls who respond to articles like this, going “MS software has more holes than swiss cheesee!’ Yeah, no shit Sherlock. The sky is also blue – have any other pieces of groundbreaking info you would like to enlighten us with? 2003-09-04 5:53 pm VBA itself has always been a major security flaw. Maybe the patch finally removes support for it from Word, Outlook, OE and Excel. Access couldn’t really function without it, but the rest could just fine. When will MS realize that not every piece of software they release should be able to run macros and scripts? Even Windows Media Player executes scripts…I can’t wait for the first WMP worm…that’s gonna be funny. 2003-09-04 7:32 pm Never. From the moment a computer is connected into a network, it is almost close to impossible to catch out ALL security holes during development. I suppose there will always be some small security holes, but the amount and severity of security holes will be reduced drastically (almost to nothing in most cases) when capability-based systems have replaced access control systems. Why this hasn’t been done already is probably because of massive ignorance. Those of you who don’t know what I’m talking about might want to read e.g. “Capability Myths Demolished”: http://zesty.ca/capmyths/ 2003-09-04 9:03 pm The link you posted was infomative. I did not know some of those things, if you are in the same boat as me, Read It!! 2003-09-05 12:09 am Indeed this is a very very old news. M$ did that since … 1995, 1994 ??