Comments on: Second zero-day Excel flaw emerges
Another yet-to-be-patched Excel security hole is reported--and there's sample attack code on the Net, experts say.
Most Popular
Latest tech news headlines
- Microsoft sets Office 2010 pricing
January 5, 2010 7:16 AM PST
- Apple's App Store tops 3 billion downloads
January 5, 2010 7:14 AM PST
- Smartphones continue to surge
January 5, 2010 6:49 AM PST
- See all headlines
RSS Feeds
Add headlines from CNET News to your homepage or feedreader.
More feeds available in our RSS feed index.
- Markets
Related quotes
Also, will 3rd party security tools like ZoneAlarm and Norton trap and prevent the Excel infiltration?
Right now this is just an example file that can crash Excel, there's no exploit attached or anything else.
The point is that there is an exploitable crash though and once you can get your exploit code to run on someone's computer you've gotten past the first and largest hurdle. Of course with the usual "run as administrator" settings most Windows users have...
As the OS is impacted only after the Excel is taken advantage of, then it is Excel that is to blame.
In a classic error, Excel forgot to check its input parameters for sanity.
This is both an application flaw and an OS vulnerability. A real OS has complete control over any software running on top of it, to include management of all resources, such as memory (of which this case is an example). Since users are not constrained from running with administrator priveleges (and you have to do some extra work to prevent that from being the case when installing the OS, such as creating user accounts with restricted access), anything goes with both user and application actions. In the old(er) days when hardware performance was much less than it is today, direct access to memory had to be provided to applications programmers, or even female users would grow beards waiting for the applications to execute. Unfortunately, this practice was allowed to continue for compatibility with older software, and despite advances in hardware, such as microprocessors' protected user/application modes and enforcement of memory segment/page access, this has remained one of the most egregious vulnerabilities in Microsloth's products. It's also the reason that these flaws keep showing up - there are potentially so many of them, spread across various versions of applications and OSes, and it appears that new programmers who start working on existing code don't know any better than to avoid making this mistake over and over (and whomever is supposed to be reviewing their code isn't earning their income).
It should be a fairly simple matter of using an appropriate automated software analysis tool on the source code to detect these kinds of problems, but with tens of thousands of people developing code at Microsloth, I'll bet that it hasn't bought more than a handful of these tools, if any, since they have prices that start at five figures, and go up rapidly from there for enterprise-sized organizations (they start at roughly the annual salary of a starting developer, but how many people can tirelessly scour code for decades on-end, without missing a single error, as accurately as an automated tool can?). This is yet-another example of why Microsloth hasn't been, isn't, and never will be, a great software development company.
All the Best,
Joe Blow
Best of all, OpenOffice is a FREE LICENSE. And I had tested OpenOffice, it's idiot simple for a Microsoft Office user to use the similar OpenOffice interface.
- Here's The Fix For These Hacks:
- by kamwmail-cnet1 June 20, 2006 1:39 PM PDT
- Download OpenOffice 2.0 from http://www.openoffice.org and allow it to be associated with Word, Excel and PowerPoint files. When you click on the file from the download, Microsoft malware will not active, instead OpenOffice will activate.
- Like this Reply to this comment
-
(10 Comments)Best of all, OpenOffice is a FREE LICENSE. And I had tested OpenOffice, it's extremely simple for a Microsoft Office user to use the similar OpenOffice interface.