Home | About Us | OIT Home | How Are We Doing? | Virus Alerts | System and Network Status | How to Contact Us | Español

The OIT Virus Notification Program --> The OIT Virus Notification Program --> -->

The OIT Virus Notification Program

OIT Virus Notification Program

Macro Security Flaw in Office 2000 and Office XP (Windows) and Office 98 and Office 2001 (Macintosh)

Updated 10/11/01

A security vulnerability was discovered this week that pertains to Office 2000 and Office XP (sometimes called Office 2002) on Windows machines and Office 98 and Office 2001 on Macintosh machines.

Normally, Microsoft Word, Excel and PowerPoint can be configured to warn users about the presence of macros, lines of executable code embedded in a document that can perform specific actions, in a document they are about to open.  This is a useful security precaution because malicious users can create macro code or macro viruses in a Word, Excel, or PowerPoint document that, once activated, can disrupt a machine, spread by sending out copies of itself via email, or delete files and folders (see the web pages "Improving Virus Security in Microsoft Office for Windows (Windows)" and "Improving Virus Security in Microsoft Office for Macintosh (Macintosh)" for information about these settings).

It was recently discovered, however, that specially malformed macro code would not be recognized by the Word, Excel and PowerPoint security settings (Word is affected by a similar vulnerability discovered in June) and could execute without a user's permission.  The user would still have to activate the macro code by opening the document, but after that the code would execute without the user's knowledge or permission.

Microsoft has patches available for download that, once installed, will resolve this security vulnerability.  Each patch is specific to a particular version of Office and to either Word, Excel or PowerPoint, so be sure to download and install the patches for both programs for your version of Office.  Links to the patches are available below.  Once you download the patch, simply double-click on it to install it.

If there is no patch listed for your version of the software below, it is because Microsoft no longer offers that patch, and you may want to consider upgrading.

If you regularly exchange Word, Excel or PowerPoint documents with friends and colleagues, it is recommended that you install the appropriate patches.

NOTE FOR OFFICE 2000 USERS:  In order to install these patches, you must be running Office 2000 Service Release 1 (SR-1).  If you download and install the patch using the original version of Office 2000, you will be told you need to upgrade to Service Release 1.  To download Office 2000 Service Release 1 (SR-1), visit http://download.microsoft.com/download/office2000pro/SP/SR-1a/WIN98/EN-US/o2ksr1a.exe.  Downloading and installing SR-1 will take time, especially over a modem connection.

Download locations for the patches (from Microsoft Security Bulletin MS01-050 and Security Bulletin MS01-034):

To learn how to sign up to receive alerts via e-mail about any new viruses that threaten the university, click on the Virus Notification Page.

To return to the main VNP web page, click on the Virus Notification Program FAQ.
How are we doing? Comments on this page?

This page is maintained by the Office of Information Technology
Questions and/or comments: Contact Us
Last modified: Sunday, 22-Sep-2002 21:58:15 EDT
© Tuesday, 24-Nov-2009 03:55:48 EST University of Maryland

 Office of Information Technology
Office of Information Technology Help Desk Web Site University of Maryland Web Site Office of Information Technology Web Site