Windows Update causes problems with VBA code
We have recently started seeing a few problems with Microsoft Dynamics GP VBA (Visual Basic for Applications) customizations as the result of a critical Windows Update that was released. I have done some research on the issues our customer's have been seeing and I wanted to share my findings with the community. The root cause has been narrowed down to Microsoft Security Bulletin MS08-070, which addresses security risks found in certain ActiveX controls. This bulletin was originally published December 9, 2008.
Background of the critical Windows Update
The critical update is to address issues in multiple ActiveX controls where there was a possibility of remote code execution if the user would visit a website with specially crafted code to exploit this issue. The affect is the publisher of the website containing the malicious code could potentially take over complete control of the user's system. The vulnerabilities were discovered in very commonly used ActiveX controls, such as the MS FlexGrid control (MSFLXGRD.OCX) and the MS DataGrid control (MSDATGRD.OCX) as well as a few others (see security bulletin MS08-070).
This affects a broad set of Developer tools and Office software such as VB6 Runtime, Visual Studio 2002/2003 SP1, FoxPro 8/9 SP1/SP2, Frontpage 2002 and Project 2003 SP3/2007 SP1. Here is a great chart of the affect controls taken from the security bulletin. Of particular interest to us is the VB6 Runtime files.
Severity Ratings and Vulnerability Identifiers (excerpt from MS08-070)
Vulnerability Severity Rating and Maximum Security Impact by Affected Software | |||||||
Affected Software |
DataGrid Control Memory Corruption Vulnerability - CVE-2008-4252 |
FlexGrid Control Memory Corruption Vulnerability - CVE-2008-4253 |
Hierarchical FlexGrid Control Memory Corruption Vulnerability - CVE-2008-4254 |
Windows Common AVI Parsing Overflow Vulnerability - CVE-2008-4255 |
Charts Control Memory Corruption Vulnerability - CVE-2008-4256 |
Masked Edit Control Memory Corruption Vulnerability - CVE-2008-3704 | |
Microsoft Developer Tools |
|||||||
Microsoft Office Software |
|||||||
The security update changes registry settings to prevent a COM object from being instantiated in Internet Explorer. However, there is a known problem that affects applications using VBA code. If your Dynamics GP VBA code is using one of the affected controls on a userform, your code may no longer function after the update is installed. This known issue is discussed further in KB932349.
To resolve this issue, there is an new rollup update for the ActiveX controls that was published on February 10, 2009. The rollup update is discussed further in KB960715. This rollup update contains updated files for the previously published advisory MS08-070 as well as two 3rd party ActiveX controls. Locate the appropriate download for your operating system version.
Greg