Original CD required for critical MS vulnerability

millar at isc.upenn.edu millar at isc.upenn.edu
Fri Sep 5 13:40:44 GMT 2003

The Visual Basic flaw that Microsoft announced on Wed. (details below) has 
a severity rating of "Critical" (which MS defines as a vulnerability "whose 
exploitation could allow the propagation of an Internet worm without user 

We're trying to push hard on quickly applying patches that MS rates as 
Critical, but this one is tougher to apply: you need the original Office CD 
and you have to go to Office Update; Windows Update doesn't catch it.  I'm 
not sure about Baseline Security Analyzer, because it started giving me 
problems yesterday.

Has anyone ever had any luck convincing MS to:
a.) Move Office critical security patches into the Windows Update 
umbrella?  That's where all our communication has pointed end users to.
b.) Support Office patches without original CDs?  I've got to think that 
out of our 35,000 people here, there are going to be a lot who can't find 
their original CDs.   I'd hate to be in the middle of  a worm outbreak 
asking everyone on campus to please go find their original Office CDs.

Dave Millar
University Information Security Officer
University of Pennsylvania

Microsoft Security Bulletin MS03-037  Print
Flaw in Visual Basic for Applications Could Allow Arbitrary Code
Execution (822715)
Affected platforms: All Windows operating systems running Access 97,
2000, 2002; Excel 97, 2000, 2002; PowerPoint 97, 2000, 2002; Project
2000, 2002; Publisher 2002; Visio 2000, 2002; Word 97, 98, 2000,
2002, Works Suite 2001, 2002, 2003; MS Business Solutions

More information about the unisog mailing list