SECURITY FLAW DISCOVERED IN INTERNET EXPLORER AND ACCESS: Allows macros to be executed automatically

GFI, leading developer of email content checking and network security software, has discovered a security flaw in Internet Explorer and Microsoft Access 2000 that allows macros to be executed automatically on a victims machine. GFI has notified Microsoft Corp., which issued an advisory (Microsoft Security Bulletin number MS02-005, dated 11 February 2002).

This flaw within Internet Explorer allows a malicious user to run arbitrary code on a target machine as it attempts to view a website or an HTML email. It can be exploited by embedding macro code such as VBA (Visual Basic for Applications) within an Access database file (.mdb) that in turn lies within an Outlook Express email file or Multipart HTML File (.mhtml). If this file is accessed using Internet Explorer, the attachment can be automatically executed without triggering any warnings.

It can be most dangerous to open an email which uses this exploit because it will run on any computer having Internet Explorer and Microsoft Access 2000, which forms part of MS Office. Our tests on this email threat showed that, in Outlook 2000, the embedded VBA code was executed automatically even within the High Security and Restricted Zone. Such an email that contains malicious code could do almost anything on the recipients machine," warned GFI security engineer, Sandro Gauci.

Blocking this exploit from running via email

This flaw may be exploited through email by using a iframe tag in an HTML email or a window.open() with in a