The Computer Emergency Response Team (CERT), a group at Pittsburgh-based Carnegie Mellon University that monitors security issues, is urging users to immediately install a Microsoft patch relating to a previously revealed security hole in Office 2000.
CERT issued an advisory on the issue late Wednesday. It cited the severity of the vulnerability created by the security hole as the reason that users should move quickly to install the patch.
The flaw was first disclosed by @Stake's L0pht Research Labs security consulting unit earlier this month. The hole made it possible for a malicious Web-site user to disable macro warnings in Office 2000, reduce a company's virus-protection security levels and execute arbitary code that could spread itself to all the users listed in an address book.
The problem is associated with an ActiveX control named Microsoft Office UA Control, which shipped with Office 2000 and components of the suite such as Word 2000, Excel 2000, PowerPoint2000 and Outlook 2000.
Although Microsoft quickly released its patch on May 15, a CERT spokesman yesterday said the group posted its advisory at this later date because "we wanted to make sure the (user) community knows about what a serious issue it is."
In addition, CERT's advice for dealing with the Office 2000 security hole "does differ somewhat from what Microsoft put out, and there have been some disagreements as to technically what is going on here with this issue," the spokesman said.
For example, a document posted by Microsoft on its Web site says that users who have set their e-mail to run in the Restricted Zone on Outlook 2000 wouldn't be affected by the security hole.
However, that alone may not be sufficient to protect users if the patch for the Office 2000 UA control hasn't been applied, said Cory Cohen, a member of CERT's technical team. "One of the things we have observed is that if you rely on (configuring Outlook to view mail in the Restricted Zone setting), it is inadequate," Cohen said. "A user can send a piece of malicious script in Outlook that can start Internet Explorer and let it do a lot of bad things."
However, the patch that Microsoft has made available appears to fix the problem and should be installed by users "as soon as possible," Cohen said. Despite the potential vulnerability, he added, CERT hasn't received any reports of users being affected by the security hole.
In a response sent via e-mail, a Microsoft spokeswoman said the security hole "to date . . . is a purely theoretical issue, and no customers have reported the problem to Microsoft." She added that the company "responded to this issue immediately" by providing the patch.