Microsoft Security Bulletin MS99-001 - Critical
Patch Available for exposure in Forms 2.0 TextBox Control that allows data to be read from user's Clipboard
Published: January 21, 1999
Originally Posted: January 21, 1999
Microsoft has released a patch that fixes a vulnerability in the Forms 2.0 ActiveX control. This control is distributed in any application that includes Visual Basic for Applications 5.0. A malicious hacker could use the Forms 2.0 Control to read or export text on a user's Clipboard when that user visits a web site set up by the malicious hacker or opens a HTML email created by the malicious hacker.
A fully supported patch is available to fix this vulnerability, and Microsoft recommends that customers download and install it to protect their computers.
The Forms 2.0 ActiveX control has a vulnerability that allows text to be pasted from a user's Clipboard into a Forms 2.0 Text Box or Combo Box. This control is installed as a standard part of the applications listed in the "Affected Products" section below.
A malicious hacker could use the Forms 2.0 Control to read or export text on a user's Clipboard when that user visits a web site set up by the malicious hacker or opens a HTML email created by the malicious hacker.
The Forms 2.0 Security Patch prevents a hacker from exploiting this vulnerability. Those who install the patch will not lose functionality and will still have the ability to manually paste content from their Clipboard to a Forms 2.0 Text Box or Combo Box. Developers who have built VBA solutions using the Forms 2.0 Control will still be able to paste into Text Boxes and Combo Boxes.
While there have not been any reports of customers being adversely affected by these problems, Microsoft is releasing a patch to address any risks posed by this issue.
Affected Software Versions
The following software installs the Forms 2.0 control:
- Microsoft Office 97
- Microsoft Outlook 98
- Microsoft Project 98
- Microsoft Visual Basic 5.0
- Any third-party product that includes Visual Basic for Applications 5.0
Vulnerability Identifier: CVE-1999-0384
To determine whether you need to download and install the security fix, right-click the Fm20.dll file in your \Windows\System folder and choose Properties on the shortcut menu. If the file date of your FM20.dll file is earlier than January 11, 1999 (1/11/99), you should download and install the security fix.
What Microsoft is Doing
Microsoft has released a patch that fixes the problem identified. This patch is available for download from the sites listed below in "What Customers Should Do".
Microsoft has made information about this patch available on the Microsoft Office web site, and has sent information about the availability of this patch to ISV partners licensing VBA and registered Office users.
Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.
Microsoft has published the following Knowledge Base (KB) article on this issue:
Microsoft Knowledge Base (KB) article 214757, Forms 2.0 (Fm20*.dll) ActiveX Control Security Fix
(Note It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.)
What customers should do
Microsoft highly recommends that all affected customers download the patch to protect their computers. The complete URL for each affected software version is given below.
Customers can obtain the patch from the free Office Update service. To obtain this patch using Office Update, visit the Office Update site at http://office.microsoft.com/downloads/9798/fm2paste.aspx.
Please see the following references for more information related to this issue.
- Patch Available for exposure in Forms 2.0 TextBox Control that allows data to be read from user's Clipboard (the Web-posted version of this bulletin), http://www.microsoft.com/technet/security/bulletin/ms99-001.mspx.
- Microsoft Knowledge Base (KB) article 214757, Forms 2.0 (Fm20*.dll) ActiveX Control Security Fix
Microsoft wishes to acknowledge Juan Carlos Garcia Cuartango of Spain for discovering this vulnerability and for his continued assistance and input.
Obtaining Support on this Issue
This is a supported patch. If you have problems installing this patch or require technical assistance with this patch, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/contactussupport/?ws=support.
- January 21, 1999: Bulletin Created
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00