Security information for week 2, 1999 described a security risk in Excel 97 - the so-called CALL vulnerability.

A similar security risk is now discovered in Microsoft Word 97. This is potentially more dangerous as it is easier for a malicious person to implement.

The vulnerability has to do with the fact that even though Word 97 does by default display a warning if a user wants to run a document with any macros in it, Word 97 does not display a similar warning about the template which the document may be linked to. A malicious macro might damage the user's files and/or cause information about the files to be distributed. Word 97 even has the ability to link to a template which is not local, but could be an URL on the Internet.

Microsoft has released a patch which solves this vulnerability (Link updated 6 May 1999).After installing the patch a warning is displayed if the template contains macros as well as the document. Note: You have to install Word 97 Service Release 1 or Service Release 2 before you install this "Template Security patch".

More information about this vulnerability is available from Microsoft's knowledge base article about this topic.

Per Olav Førland