Microsoft confirms Excel flaw; outlines defense

Microsoft confirms Excel flaw; outlines defense

Summary: The Microsoft Security Response Center has confirmed ongoing attacks against Excel and is recommending that users either run files through a tool that strips out exploit code or block Office 2003 and earlier formats except for those from trusted locations.

SHARE:

The Microsoft Security Response Center has confirmed ongoing attacks against Excel and is recommending that users either run files through a tool that strips out exploit code or block Office 2003 and earlier formats except for those from trusted locations.

In its advisory MSRC late Tuesday said:

Microsoft is investigating new public reports of vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. At this time, our initial investigation indicates that customers who are using Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability.

When the software giant is done investigating, it said it will "take appropriate action," which means it may or may not issue a patch. Microsoft last patched an Excel edition in August.

Microsoft also downplayed the vulnerability and noted that it was only aware of targeted attacks and the flaw hasn't been disclosed broadly (until now). "We believe the risk at this time to be limited," said Microsoft. For instance, the vulnerability can't be exploited on Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, or Microsoft Excel 2008 for Mac.

However, an "attacker who successfully exploited this vulnerability could gain the same user rights as the local user," said Microsoft. Translation: This could be a real headache if the hacker snares an admin account.

As for the attack vector, the vulnerability can't be exploited automatically via email, but a user has to open an attachment--this is no comfort to me since users always open attachments.

Microsoft notes:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Excel file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's site.

The workaround for this bug depends heavily on the Microsoft Office Isolated Conversion Environment (MOICE), a free Office conversion tool that was released last year. If any attachment looks suspicious, Microsoft recommends running it through MOICE. This approach will protect Office 2003 installations, but you're out of luck if you have Excel 2002 or Excel 2000, two versions that don't have workarounds.

This KnowledgeBase document has the more details on MOICE.

A cruder workaround would be to block Office 2003 and earlier documents from unknown sources. There are dangers to this approach and only the technically inclined (your admin) should use it. The file blocking approach is your last ditch effort.

Topics: Security, Collaboration, Microsoft, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

52 comments
Log in or register to join the discussion
  • Mister Dignan , who cares ? Certainly not I .

    I steer clear from every product that company makes .
    AdventTech67
    • Me too

      And yet, I think it's important that Excel users hear about the issue and take
      precautions or another swig of Maalox.
      DannyO_0x98
      • Maalox is yumm-OOO (nt)

        nt
        tikigawd
  • You forgot an important

    and largely overlooked work-around: Use Open Office to view and save the Excel file. OO 2.3 can open and save Excel files from Excel 95, 97/2000/XP, and 2003 XML.

    Better yet, save it as a OO spreadsheet, .ods, and forget Excel completely.

    There are better alternatives than continuing to anxiously using MS products and continuing to pay them for software to fix a problem that has apparently been around for nearly a decade (unless your an Excel 2003 user and can swallow SP3).
    jacarter3
  • this is the second shoe, isn't it

    Microsoft just seems so sure they can convert us to the idea of fixing by converting documents.

    - Then because of the inconvenience, they hope lots of office updates. And it is inconvenient.

    - Then because of the Office XML, they push their proprietary XML as 'standards'.

    - they feel off the hook for fixing Office 2003 exploits.

    I think it is a dream, isn't it...
    Narr vi
    • "they feel off the hook for fixing Office 2003 exploits."

      Did you miss the part where the fix for Office 2003 has been available since mid last year?
      KTLA
      • well, "fix". Hmm.

        I have the patch since it existed, and I have MOICE and its prerequisites and upgrades, and I have set of scripts I made to turn this technician's craft on and off where needed.

        Which hundred of a percent of Microsoft's customers have done the same, and which of those will be fortunate enough to have it on when they really need it?

        MOICE has been around since October. If XML files are the only way to make safety, why isn't there a fully integrated, smooth version that takes care of the problem?

        If XML converters can remove the exploits, surely the XML part is unnecessary, and the files could just be re-saved in the original format.

        As far as Office 2003 'fixes', well, I am pretty knowledgeable, and I can't with any confidence sift through this barrage of kludges and faux-fool spin-statements from Microsoft. Who can?

        Do you feel protected?
        Narr vi
    • Or just apply Service Pack 3

      Technically it is not proprietary XML but nonstandard XML -- because you can write software to enact the MS XML definition if you want with license. To be honest if there wasn't so much hostility to MS, most of the MS differences would have been adopted as optional variations or extensions within the standards.


      Also remember the standards processes is it is NOT governed by common user groups but by special interests. MS has far more users but doesn't have proportional votes in standards committees. So who is forcing XML standards on who?

      The truth is Open Source is no different than MS in writing software. Most the time nobody talks final standards until they have an alpha implementation. MS wrote based on draft proposals that were still subject to revision. It would be stupid for MS to wait for Open Source folk to declare how the XML or any other standard will work before starting to write their own.

      Open Source just controls the Standards committees via virtue of the numbers of academic institutions and competitors -- and international groups. None of these people want to see MS compatibility. So of course when XML was adopted the Open Source version was adopted over MS proposals.

      True MS has not bent rapidly to fit the declared rules. The humorous thing is how long it took for Open Source to finally meet their own standards.
      wellduh
    • Or just apply Service Pack 3

      Technically it is not proprietary XML but nonstandard XML -- because you can write software to enact the MS XML definition if you want without license. To be honest if there wasn't so much hostility to MS, most of the MS differences would have been adopted as optional variations or extensions within the standards.


      Also remember the standards processes is it is NOT governed by common user groups but by special interests. MS has far more users but doesn't have proportional votes in standards committees. So who is forcing XML standards on who?

      The truth is Open Source is no different than MS in writing software. Most the time nobody talks final standards until they have an alpha implementation. MS wrote based on draft proposals that were still subject to revision. It would be stupid for MS to wait for Open Source folk to declare how the XML or any other standard will work before starting to write their own.

      Open Source just controls the Standards committees via virtue of the numbers of academic institutions and competitors -- and international groups. None of these people want to see MS compatibility. So of course when XML was adopted the Open Source version was adopted over MS proposals.

      True MS has not bent rapidly to fit the declared rules. The humorous thing is how long it took for Open Source to finally meet their own standards.
      wellduh
  • Office 2003 SP3 is not vulnerable

    install Service Pack 3 for Office 2007 and live in peace.
    qmlscycrajg
    • well, I think you are right, reading more carefully

      At least I hope you are right.

      The obscurity of this statement among all the worry-mongering and kludge proposals doesn't somehow reduce my feeling that this security nightmare, while surely becoming real enough, is also seen as a fine field to exploit.

      It would be quite nice if our journalism were more careful to make distinctions.
      Narr vi
      • Blogs == Journalism?

        Not so sure on that statement.
        tikigawd
    • AND GET OFFICE 2007 and VISTA bits.....

      NO WAY
      carlsf@...
  • Just upgrade to Office 2007

    That's always MSFT's suggestion. Upgrade. A little while longer and there will be vulnerabilities for XP SP2 and their suggestion will be upgrading to Vista.

    When the value proposition doesn't work, try fear.
    Chad_z
    • Oh, kind of like FireFox...

      "... version 2.xx is vulnerable but if you upgrade to version 2.x+, the flaw is fixed."

      Only difference is the amount of money involved. Same fix - upgrade.
      Confused by religion
      • rather more like

        ...convert all the (web) html documents to msHTML 2008.
        alf@...
      • Well, look...

        I've got no problem paying for new features I want...but I shouldn't have to pay for bug fixes for vulnerable code!! *That* is the difference! Sometimes M$ gives us the free updates...and sometimes the answer is "the next version does not contain this vulnerability". With products like Firefox and OpenOffice, you get free updates, whether for features or fixes. Again, I have no problem paying for features, if they are something I want...but the OSS people have a better sense of responsibility as far as getting fixes to their users!!
        Techboy_z
        • SP3 is free & Free Support Forever?

          Commercially there must be a limit to support. Support costs money. And Open Source support is NOT guaranteed. More than a few Open Source projects have withered up and died in terms of active programmers (usually in favor of some new replacement project). Firefox and OpenOffice are really more an exception than the rule for OpenSource applications. Yeah Compilers may live forever.

          But I guarantee you that Linux 1.4 users aren't receiving much support and may have had some painful maintenance to get to 2.4 or 2.6.

          The basic bottomline argument against MS software is that it is NOT free. Flaw rates have ZERO to do with it. And I agree with that argument. When a given software type is matched to features and ability to exchange data across the world in terms of numbers of people -- then Open Source will be the software I use.
          wellduh
      • then

        MS upgrades should be free?

        :o)
        Jack-Booted EULA
      • Not quite

        2.x to 2.X+ is patch fix not a new version. Now if Firefox said 2.X is vulnerable so upgrade to 3.X then the issue would be the same especially if you didn't want nor like version 3.X.
        voska1