Windows Update causes problems with VBA code


Greg WillsonWe have recently started seeing a few problems with Microsoft Dynamics GP VBA (Visual Basic for Applications) customizations as the result of a critical Windows Update that was released.  I have done some research on the issues our customer’s have been seeing and I wanted to share my findings with the community.  The root cause has been narrowed down to Microsoft Security Bulletin MS08-070, which addresses security risks found in certain ActiveX controls.  This bulletin was originally published December 9, 2008.


Background of the critical Windows Update
The critical update is to address issues in multiple ActiveX controls where there was a possibility of remote code execution if the user would visit a website with specially crafted code to exploit this issue.  The affect is the publisher of the website containing the malicious code could potentially take over complete control of the user’s system.  The vulnerabilities were discovered in very commonly used ActiveX controls, such as the MS FlexGrid control (MSFLXGRD.OCX) and the MS DataGrid control (MSDATGRD.OCX) as well as a few others (see security bulletin MS08-070).


This affects a broad set of Developer tools and Office software such as VB6 Runtime, Visual Studio 2002/2003 SP1, FoxPro 8/9 SP1/SP2, Frontpage 2002 and Project 2003 SP3/2007 SP1.  Here is a great chart of the affect controls taken from the security bulletin.  Of particular interest to us is the VB6 Runtime files.


Severity Ratings and Vulnerability Identifiers (excerpt from MS08-070)








































































































Vulnerability Severity Rating and Maximum Security Impact by Affected Software


Affected Software


DataGrid Control Memory Corruption Vulnerability – CVE-2008-4252


FlexGrid Control Memory Corruption Vulnerability – CVE-2008-4253


Hierarchical FlexGrid Control Memory Corruption Vulnerability – CVE-2008-4254


Windows Common AVI Parsing Overflow Vulnerability – CVE-2008-4255


Charts Control Memory Corruption Vulnerability – CVE-2008-4256


Masked Edit Control Memory Corruption Vulnerability – CVE-2008-3704


Microsoft Developer Tools


 


 


 


 


 


 


Microsoft Visual Basic 6.0 Runtime Extended Files


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Microsoft Visual Studio .NET 2002 Service Pack 1


Not applicable


Not applicable


Not applicable


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Microsoft Visual Studio .NET 2003 Service Pack 1


Not applicable


Not applicable


Not applicable


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Microsoft Visual FoxPro 8.0 Service Pack 1


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Microsoft Visual FoxPro 9.0 Service Pack 1


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Microsoft Visual FoxPro 9.0 Service Pack 2


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Critical
Remote Code Execution


Microsoft Office Software


 


 


 


 


 


 


Microsoft Office FrontPage 2002 Service Pack 3


Not applicable


Critical
Remote Code Execution


Not applicable


Not applicable


Not applicable


Not applicable


Microsoft Office Project 2003 Service Pack 3


Not applicable


Critical
Remote Code Execution


Not applicable


Critical
Remote Code Execution


Not applicable


Not applicable


Microsoft Office Project 2007 and Microsoft Office Project 2007 Service Pack 1


Not applicable


Not applicable


Not applicable


Critical
Remote Code Execution


Not applicable


Not applicable


The security update changes registry settings to prevent a COM object from being instantiated in Internet Explorer.  However, there is a known problem that affects applications using VBA code.  If your Dynamics GP VBA code is using one of the affected controls on a userform, your code may no longer function after the update is installed.  This known issue is discussed further in KB932349.


To resolve this issue, there is an new rollup update for the ActiveX controls that was published on February 10, 2009.  The rollup update is discussed further in KB960715.  This rollup update contains updated files for the previously published advisory MS08-070 as well as two 3rd party ActiveX controls.  Locate the appropriate download for your operating system version.


Greg

Comments (2)

  1. Several folks are reporting that a recent Windows update is causing problems with VBA code in Dynamics

  2. Tom Garth says:

    My problem is with the FlexGrid control on a GP10 VBA User Form.

    It would be really special if Microsoft were to publish a fix for this issue that could be applied directly to the affected machines. They have not. They have an update for VB6 SP6 that updates the affected controls, but the only way to repair the distributed applications is to repackage them, and this is not an option for the VBA modules.

    It would also be cool if searching for *.exd (recommended in KB957924) on Vista actually found the existing files. A command window must be used to delete them.