Software Engineering Institute

From Microsoft Security Bulletin MS03-037:

Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. Microsoft VBA is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and make use of VBA to perform certain functions. VBA can also be used to build customized applications based around an existing host application.
A VBA subsystem, the Visual Basic Design Time Environment (VBE), does not adequately validate certain data passed to it from documents that contain VBA code:

A flaw exists in the way VBA checks document properties passed to it when a document is opened by the host application. When a document is opened by an application that supports Microsoft VBA, the host application carries out a check to determine whether Microsoft VBA is required by the document and should therefore be loaded. During this initial check some document properties are passed to Microsoft VBA - a flaw exists because Microsoft VBA does not correctly validate the data that is passed to it during this initial phase.
VBE is implemented in vbe.dll (VBA 5.0) or vbe6.dll (VBA 6.x).

An attacker could exploit this vulnerability by convincing a victim to open a document that contained specially crafted VBA code. If Word is configured as the email editor for Outlook, an exploit could be delivered via an email message. In this case, the victim would have to reply to or forward the message in order to trigger the exploit. Also, since certain types of Office files are automatically opened by Internet Explorer (IE), an attacker could convince the victim to load a crafted document from a web site.

VBA is included in a number of Microsoft products including Office (Word, Excel, PowerPoint, Access), Publisher, Project, Visio, Works Suite, and Business Solutions (Great Plains, Dynamics, eEnterprise, Solomon). In addition, non-Microsoft products that use VBA may be affected. Per MS03-037:

Microsoft has worked with 3rd parties who develop applications using Microsoft VBA to make sure they are aware of this security vulnerability and that they have the necessary updates to Microsoft VBA to incorporate in their products. You should contact your software vendor to obtain updates for any non-Microsoft applications that use Microsoft VBA.
This vulnerability is described in Microsoft Security Bulletin MS03-037 and eEye Digital Security advisory AD20030903-2.

By convincing a victim to open a specially crafted document, an attacker could execute arbitrary code with the privileges of the victim.

Apply patch

Apply the appropriate patch referenced in Microsoft Security Bulletin MS03-037.