Microsoft has posted Security Bulletin MS01-028, which identifies a potential security problem with RTF (Rich Text Format) documents linked to templates in Microsoft Word. Under some circumstances, such files can run macros without warning, thus opening up the risk of spreading macro viruses on both Microsoft Word for Windows and Word for Mac.
According to Microsoft, affected software includes both Word 98 and Word 2001 for the Mac. The company recommends that a downloadable patch offered on the bulletin Web page should be downloaded and applied immediately, but as MacCentral went to press with this article, the specific patches for both Mac Word versions were not yet available.
“By embedding a macro in a template, and providing another user with an RTF document that links to it, an attacker could cause a macro to run automatically when the RTF document was opened,” explained Microsoft. “The macro would be able to take any action that the user herself could take. This could include disabling the user’s Word security settings so that subsequently-opened Word documents would no longer be checked for macros.”
This problem only affects Word, said Microsoft, and only occurs when opening RTF documents that are linked to template. Microsoft explained that the vulnerability exists because Word doesn’t check a template linked to an RTF document for embedded macros — the forthcoming security patches for Word 98 and Word 2000 for Mac will resolve that problem.
More details are available on Microsoft’s Web site.