Microsoft Word will accept an Access database as a data source in a mail merge operation. VBA components of the specified database will also be read and executed, if they are in a form that is set up to be opened at startup. This includes VBA commands that can run arbitrary system commands. The specified database must be on the victim's local or networked drives, or on an accessible UNC share.



The HTML file must be opened by the victim. The method of delivery for this file (web, email, ftp, etc.) is irrelevant.

This is a newly discovered variant of Bugtraq ID 1566 / Microsoft Security Bulletin MS00-071. The only difference being that the malicious file must be saved in HTML format.

Remote: Yes

Exploit: No

Solution: Microsoft has released fixes which address this issue. Office users should visit the Office Product Updates page at:

http://office.microsoft.com/productupdates/default.aspx

Source: http://www.xatrix.org/article1642.html