On mySimon: Lemony Snicket: Trouble Begins Book Set
BNET Business Network:
BNET
TechRepublic
ZDNet

January 16th, 2008

Microsoft confirms Excel flaw; outlines defense

Posted by Larry Dignan @ 2:37 am

Categories: Exploit code, Microsoft, Responsible disclosure, Vulnerability research

Tags: Attacker, Microsoft Security Response Center, Vulnerability, Microsoft Corp., Flaw, Microsoft Office, Microsoft Excel, Security, Office Suites, Software

The Microsoft Security Response Center has confirmed ongoing attacks against Excel and is recommending that users either run files through a tool that strips out exploit code or block Office 2003 and earlier formats except for those from trusted locations.

In its advisory MSRC late Tuesday said:

Microsoft is investigating new public reports of vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. At this time, our initial investigation indicates that customers who are using Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability.

When the software giant is done investigating, it said it will “take appropriate action,” which means it may or may not issue a patch. Microsoft last patched an Excel edition in August.

Microsoft also downplayed the vulnerability and noted that it was only aware of targeted attacks and the flaw hasn’t been disclosed broadly (until now). “We believe the risk at this time to be limited,” said Microsoft. For instance, the vulnerability can’t be exploited on Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, or Microsoft Excel 2008 for Mac.

However, an “attacker who successfully exploited this vulnerability could gain the same user rights as the local user,” said Microsoft. Translation: This could be a real headache if the hacker snares an admin account.

As for the attack vector, the vulnerability can’t be exploited automatically via email, but a user has to open an attachment–this is no comfort to me since users always open attachments.

Microsoft notes:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Excel file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s site.

The workaround for this bug depends heavily on the Microsoft Office Isolated Conversion Environment (MOICE), a free Office conversion tool that was released last year. If any attachment looks suspicious, Microsoft recommends running it through MOICE. This approach will protect Office 2003 installations, but you’re out of luck if you have Excel 2002 or Excel 2000, two versions that don’t have workarounds.

This KnowledgeBase document has the more details on MOICE.

A cruder workaround would be to block Office 2003 and earlier documents from unknown sources. There are dangers to this approach and only the technically inclined (your admin) should use it. The file blocking approach is your last ditch effort.

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 52 Talkback(s)
Why OpenDocument Won
(and Microsoft Office Open XML Didn’t)

http://www.dwheeler.com/essays/why-opendocument-won.html
<... (Read the rest)
Posted by: Ole Man Posted on: 02/17/08 You are currently: a Guest | | Terms of Use
Mister Dignan , who cares ? Certainly not I .  AdventTech67 | 01/16/08
Me too  DannyO_0x98 | 01/16/08
Maalox is yumm-OOO (nt)  tikigawd | 02/15/08
You forgot an important  jacarter3 | 01/16/08
this is the second shoe, isn't it  Narr vi | 01/16/08
"they feel off the hook for fixing Office 2003 exploits."  KTLA | 01/16/08
well, "fix". Hmm.  Narr vi | 01/17/08
Or just apply Service Pack 3  wellduh | 01/16/08
Or just apply Service Pack 3  wellduh | 01/16/08
Office 2003 SP3 is not vulnerable  qmlscycrajg | 01/16/08
well, I think you are right, reading more carefully  Narr vi | 01/16/08
Blogs == Journalism?  tikigawd | 02/15/08
AND GET OFFICE 2007 and VISTA bits.....  carlsf@... | 01/16/08
Just upgrade to Office 2007  Chad_z | 01/16/08
Oh, kind of like FireFox...  Confused by religion | 01/16/08
rather more like  alf@... | 01/16/08
Well, look...  techboy_z | 01/16/08
SP3 is free & Free Support Forever?  wellduh | 01/16/08
then  Jack-Booted EULA | 01/16/08
Not quite  voska1 | 01/17/08
Reality Check  joe.smetona@... | 01/18/08
Better recommendation ..................  Ole Man | 01/19/08
IS XP SP2 NEXT ON THE LIST  lbmurray2000@... | 01/16/08
Long live Windows 98  wellduh | 01/17/08
The Upgrade  tikigawd | 02/15/08
Big deal or not?  KTLA | 01/16/08
Perhaps, KTLA,  mhenriday | 01/16/08
Perhaps, Henri  M.R. Kennedy | 01/16/08
Perhaps, MR Kennedy,  mhenriday | 01/17/08
so, now we know  merc2dogs` | 01/16/08
Encouraging the masses to move to Office 2007  mighetto | 01/16/08
Another forced upgrade strategy.  bjbrock | 01/16/08
Huh?  tonygage@... | 01/16/08
How much do you want to bet? $10? $100?  NonZealot | 01/16/08
Or...  cornpie | 01/16/08
Precisely  Yagotta B. Kidding | 01/17/08
Not So Fast  Reiley 411 | 01/17/08
Sorry  hforman@... | 01/17/08
If this was a car or any other manufactured device...  carlsf@... | 01/16/08
OpenOffice: The best workaround to Microsoft's latest failure  TechExec2 | 01/16/08
MS Office: The best workaround to OpenOffice's latest failure  NonZealot | 01/16/08
Limited to Windows.  joe.smetona@... | 01/18/08
RE: Microsoft confirms Excel flaw; outlines defense  tracy anne | 01/16/08
OH NO! Tell me its not true...again? Really?  mikifinaz1@... | 01/16/08
Using competitor's product not the answer  jongunn@... | 01/16/08
Don't kid yourself  alaniane@... | 01/17/08
Many bicycle riders nearly killed themselves  Ole Man | 02/17/08
Surprise; Surprise  wellduh | 01/16/08
Patching & Users  wellduh | 01/16/08
RE: Microsoft confirms Excel flaw; outlines defense  hal9000lives | 01/17/08
Have you all forgotten . . .  Sheeva | 01/17/08
Why OpenDocument Won  Ole Man | 02/17/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc

  • Here to help you with your Document Management Needs
  • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
  • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
  • Produced by
    ZDNet and