CVE-2006-3649

Name of the Vulnerable Software and Affected Versions Microsoft Visual Basic for Applications (VBA) SDK versions 6.0 through 6.4 Microsoft Office 2000 SP3 Microsoft Office XP SP3 Microsoft Project 2000 SR1 Microsoft Project 2002 SP1 Microsoft Access 2000 Runtime SP3 Microsoft Visio 2002 SP2 Microsoft Works Suite versions 2004 through 2006

Description A remote code execution issue exists in the way Visual Basic for Applications (VBA) checks document properties when opening a document. This could allow an attacker to take complete control of the affected system. The issue arises when VBA is invoked to open documents with unspecified properties that are not verified.

Recommendations For Microsoft Visual Basic for Applications (VBA) SDK versions 6.0 through 6.4, update to a version outside of this range to mitigate the risk. For Microsoft Office 2000 SP3, consider disabling VBA invocation for document opening until a patch is available. For Microsoft Office XP SP3, restrict access to document properties to minimize the risk of exploitation. For Microsoft Project 2000 SR1 and Microsoft Project 2002 SP1, avoid using VBA for opening documents with unspecified properties until the issue is resolved. For Microsoft Access 2000 Runtime SP3 and Microsoft Visio 2002 SP2, consider applying configuration changes to limit VBA's ability to execute arbitrary code. For Microsoft Works Suite versions 2004 through 2006, update to a version outside of this range or apply mitigation measures as recommended for other affected products.