June 20, 2006 12:53 PM PDT

Second zero-day Excel flaw emerges

Attack code for a new security hole in Excel has surfaced on the Internet, just as Microsoft is scrambling to respond to a separate bug in the spreadsheet program.

The latest vulnerability could cause Excel to crash after a malicious file is opened, according to an alert Symantec sent to customers on Monday. The security company also said there was a risk that an intruder could commandeer a PC. "Attackers may also be able to execute arbitrary code?but this has not been confirmed," it said.

The security hole exists because Excel fails to properly check user-supplied input before copying it to an insufficiently sized memory buffer, Symantec said. Excel 2003 and Excel XP are vulnerable, and other versions may also be affected, Symantec said.

Security monitoring company Secunia deems the issue "highly critical," one notch below its most severe ranking, according to an alert it published on Tuesday.

Sample computer code that exploits the flaw is publicly available on the Net. However, Secunia said it is not aware of any current attacks using the security hole.

Microsoft is looking into the issue, a company representative said in a statement Tuesday. "Based on our investigation, the issue is a new vulnerability in Microsoft Windows that may be exploited when clicking on a hyperlink with Office documents," the representative said. Microsoft is not aware of any attacks that exploit this flaw, he added.

The latest Excel vulnerability comes just as Microsoft is grappling with another yet-to-be-patched bug in the spreadsheet application. That flaw, disclosed late last week, could give an attacker full control over a vulnerable PC and has been exploited in at least one targeted cyberattack, Microsoft has said.

To exploit either one of the new flaws, an attacker would craft a malicious Excel file and host that file on a Web site, send it via e-mail, or otherwise provide it to the intended victim. The attempt can be successful only if the file is opened on a vulnerable PC.

Both vulnerabilities come on the heels of Microsoft's "Patch Tuesday" batch of security updates. Last week, Microsoft released 12 patches that addressed 21 vulnerabilities in various products, including Office applications. The company has said it is working on a patch for the first new Excel flaw.

Some experts believe the timing of the new exploits is no coincidence, as miscreants will have a month until patches are available. Microsoft typically does not release fixes outside of its monthly patching cycle for such flaws, these experts said.

On Monday, Microsoft posted tips for users to respond to the first Excel flaw, which affects all versions of the software, including those for Apple Computer's Mac OS. Microsoft suggests caution when opening Excel files. It also recommends blocking such files when they arrive as e-mail attachments or changing PC settings so spreadsheets can't be opened from the Outlook e-mail client or the Web.

For Excel 2003, Microsoft recommends that people prevent the application from running in "repair mode" by modifying some settings in the Windows Registry. The flaw is exploited in that special mode, Microsoft said in a security advisory on the issue.

See more CNET content tagged:
flaw, Microsoft Excel, security hole, Microsoft Excel 2003, attacker

10 comments

Join the conversation!
Add your comment
Isn't This A Flaw In The OS?
How is it than an application program is able to compromise operating system security to this extent? If the OS cannot prevent this condition, then isn't any application, not just Excel, a potential vector for infiltration?

Also, will 3rd party security tools like ZoneAlarm and Norton trap and prevent the Excel infiltration?
Posted by maxwis (141 comments )
Reply Link Flag
It's probably another script hack.
Runs the Office script to make changes to the OS.
Posted by kamwmail-cnet1 (292 comments )
Link Flag
Not an OS flaw --
And you actually have to have Excel installed in order for this to even work at all.

Right now this is just an example file that can crash Excel, there's no exploit attached or anything else.

The point is that there is an exploitable crash though and once you can get your exploit code to run on someone's computer you've gotten past the first and largest hurdle. Of course with the usual "run as administrator" settings most Windows users have...
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Rule of thumb
My rule of thumb is first altered is first blamed.

As the OS is impacted only after the Excel is taken advantage of, then it is Excel that is to blame.

In a classic error, Excel forgot to check its input parameters for sanity.
Posted by Arctific (3 comments )
Link Flag
It's a Floor Wax ... It's a Dessert Topping ... It's Both!
Jane, you ignorant **** ... oh, sorry, wrong skit. I said skit, spelled s-K-i-t, you ninny! :)

This is both an application flaw and an OS vulnerability. A real OS has complete control over any software running on top of it, to include management of all resources, such as memory (of which this case is an example). Since users are not constrained from running with administrator priveleges (and you have to do some extra work to prevent that from being the case when installing the OS, such as creating user accounts with restricted access), anything goes with both user and application actions. In the old(er) days when hardware performance was much less than it is today, direct access to memory had to be provided to applications programmers, or even female users would grow beards waiting for the applications to execute. Unfortunately, this practice was allowed to continue for compatibility with older software, and despite advances in hardware, such as microprocessors' protected user/application modes and enforcement of memory segment/page access, this has remained one of the most egregious vulnerabilities in Microsloth's products. It's also the reason that these flaws keep showing up - there are potentially so many of them, spread across various versions of applications and OSes, and it appears that new programmers who start working on existing code don't know any better than to avoid making this mistake over and over (and whomever is supposed to be reviewing their code isn't earning their income).

It should be a fairly simple matter of using an appropriate automated software analysis tool on the source code to detect these kinds of problems, but with tens of thousands of people developing code at Microsloth, I'll bet that it hasn't bought more than a handful of these tools, if any, since they have prices that start at five figures, and go up rapidly from there for enterprise-sized organizations (they start at roughly the annual salary of a starting developer, but how many people can tirelessly scour code for decades on-end, without missing a single error, as accurately as an automated tool can?). This is yet-another example of why Microsloth hasn't been, isn't, and never will be, a great software development company.

All the Best,
Joe Blow
Posted by Joe Blow (175 comments )
Link Flag
Here's The Fix For These Hacks:
Download OpenOffice 2.0 from <a class="jive-link-external" href="http://www.openoffice.org" target="_newWindow">http://www.openoffice.org</a> and allow it to be associated with Word, Excel and PowerPoint files. When you click on the file from the download, Microsoft malware will not active, instead OpenOffice will activate.

Best of all, OpenOffice is a FREE LICENSE. And I had tested OpenOffice, it's idiot simple for a Microsoft Office user to use the similar OpenOffice interface.
Posted by kamwmail-cnet1 (292 comments )
Reply Link Flag
Here's The Fix For These Hacks:
Download OpenOffice 2.0 from <a class="jive-link-external" href="http://www.openoffice.org" target="_newWindow">http://www.openoffice.org</a> and allow it to be associated with Word, Excel and PowerPoint files. When you click on the file from the download, Microsoft malware will not active, instead OpenOffice will activate.

Best of all, OpenOffice is a FREE LICENSE. And I had tested OpenOffice, it's extremely simple for a Microsoft Office user to use the similar OpenOffice interface.
Posted by kamwmail-cnet1 (292 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.