The Computer Emergency Response Team (CERT) issued an advisory earlier this month about security vulnerabilities in two popular Microsoft applications - PowerPoint and Excel - running on both PCs and Macs. The problem can affect Windows systems running Excel 97, Excel 2000, Excel 2002, PowerPoint 97, PowerPoint 2000 and PowerPoint 2002; and Macintosh computers running Excel 98, Excel 2001, PowerPoint 98 and PowerPoint 2001. According to CERT, the vulnerability can allow an intruder to include a specially crafted macro in a Microsoft Excel or PowerPoint document that can avoid detection and run automatically regardless of the security settings specified by the user.

Both Excel and PowerPoint scan documents when they are opened and check for the existence of macros. If the document contains macros, the user running Excel or PowerPoint is alerted and asked if he would like the macros to be run. However, Microsoft Excel and PowerPoint may not detect malformed macros, so a user can unknowingly run macros containing malicious code when opening an Excel or PowerPoint document. An intruder who can entice or deceive a victim into opening a document using a vulnerable version of Excel or PowerPoint could take any action the victim could take, including, but not limited to:

• reading, deleting, or modifying data, either locally or on open file shares
  
• modifying security settings (including macro virus protection settings)
  
• sending electronic mail
  
• posting data to or retrieving data from Web sites.

More information is available from Symantec and patches and info are available from Microsoft.