Severity: Medium

Summary:

· This vulnerability affects: Visio 2003, only

· How an attacker exploits it: By enticing one of your users into opening a maliciously crafted Visio document

· Impact: An attacker can execute code, potentially gaining complete control of your users' computers

· What to do: Deploy the Visio 2003 patch as soon as possible, or let Windows Update do it for you

Exposure:

Microsoft Visio is a very popular diagramming application, which many administrators use to create network diagrams. It also ships with some Office packages.

In a security bulletin released today, Microsoft describes a security vulnerability that only affects Visio 2003. Specifically, Visio 2003 suffers from an insecure Dynamic Link Library (DLL) loading vulnerability, sometimes referred to as a binary planting flaw. We first described this class of flaw in a September Wire post, which describes this Microsoft security advisory. If an attacker can entice one of your users into opening a Visio related filw (such as .vsd, .vdx, .vst, or .vtx) file from the same location as a specially crafted DLL, he could exploit this flaw to execute code on that user’s computer with full system privileges, thus gaining complete control of the computer.

Solution Path:

Microsoft has released a Visio 2003 patch to fix this flaw. You should download, and deploy the patch as soon as possible, or let Windows Update do it for you.

Status:

Microsoft has released a fix.