Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft plugs dangerous Excel security holes

By Ryan Naraine | March 9, 2010, 12:58pm PST

Summary

Microsoft today issued patches for seven potentially dangerous security flaws in the Microsoft Excel worksheet software

Topics

Microsoft Corp., Microsoft Excel, Microsoft Office, Security, Office Suites, Software, Ryan Naraine

Blogger Info

Ryan Naraine

Biography

Ryan Naraine

Ryan Naraine
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Dancho Danchev

Biography

Dancho Danchev

Dancho Danchev
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
Vendor HotSpot
Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Microsoft today issued patches for seven potentially dangerous security flaws in the Microsoft Excel worksheet software and warned that hackers could launch remote code execution attacks if a Windows user opens a specially crafted Excel file.

The Microsoft Excel fixes headline this month’s batch of Patch Tuesday updates, which also includes cover for a vulnerability in the Windows Movie Maker and Microsoft Producer 2003 programs.

[ SEE: New Microsoft IE flaw under attack ]

One of the Excel flaws – CVE-2010-0263 — is the first vulnerability to be addressed in the new Open XML file format.

The Excel update (MS10-017) affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007.

follow Ryan Naraine on twitter

As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited, according to Microsoft’s security response team.

[ SEE: Microsoft investigating another IE browser vulnerability ]

Although the second bulletin (MS10-016) lists Microsoft Producer 2003 in the affected products list, the company did not offer a patch for that piece of software.

Here’s the explanation from Microsoft’s Adrian Stone:

Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security.

Microsoft also re-released the MS09-033 bulletin to add Virtual Server 2005 to the affected products list.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

More from “Zero Day”

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion

Talkback Most Recent of 13 Talkback(s)

  • In before Loverock somehow spins this to "Microsoft rules".


    ZDNet Gravatar
    AzuMao
    (Edited: 03/10/2010 01:12 PM)
  • @Loverock; No.
    edit:
    This was supposed to be in reply to Loverock's post.

    I think somebody deleted it, and left my post here..


    Lazy moderators.
    ZDNet Gravatar
    AzuMao
    (Edited: 03/10/2010 01:07 PM)
  • oops
    nt
    ZDNet Gravatar
    Viva la crank dodo
    (Edited: 03/10/2010 09:58 AM)
  • LOOK EVERYONE!!!*!!! HE MENTIONS ME!!!
    Need I say more? happy
    ZDNet Gravatar
    Loverock Davidson
    03/10/2010 09:09 AM
  • I'm glad you asked
    No you need never say more.
    ZDNet Gravatar
    Viva la crank dodo
    03/10/2010 09:58 AM
  • Yeah, I'm sure it has nothing...
    to do with baiting him, right? Considering your post offered nothing on the topic at hand. Can YOU say "transparent"?
    ZDNet Gravatar
    Mr. Slate
    03/12/2010 07:32 PM
  • On the contrary..
    ..he didn't this time. He usually does. I think calling it in advance took away his motivation.
    ZDNet Gravatar
    AzuMao
    03/12/2010 09:12 PM
  • "Nothing"!?
    No other platform complies with the RIAA's demands for invasive DRM as well as Windows!

    Surely that's got to count for something?

    I mean, unless you use free copies of stuff (which is akin to murder), you're SOL if you want to watch a movie or listen to some music but don't have the latest hardware-supported DRM rootkit installed.

    And most people don't pirate, so for most people, it is very important to have an OS that complies with all the RIAA/MPAA/etc's demands, despite how ludicrous they are.


    edit:
    Okay seriously WTF!? However keeps deleting posts I've replied to, next time delete my reply too, so it doesn't look out of place. =/
    ZDNet Gravatar
    AzuMao
    (Edited: 03/10/2010 01:10 PM)
  • RE: Microsoft plugs dangerous Excel security holes
    If OpenXML is so open, why are there no other
    programs that can open .docx or .xlsx files? At
    least, Open Office doesn't.

    That said, XML is a lot more human readable, so
    if your file goes corrupt you can still find a
    way to extract some raw text.

    I wonder if the real problem is in OpenXML, or
    if it's with Microsoft Excel. After all, it
    didn't say that Word or Powerpoint were
    affected; Only Excel.
    ZDNet Gravatar
    Tynach
    03/10/2010 12:40 PM
  • ???
    If OpenXML is so open, why are there no otherprograms that can open .docx or .xlsx files? At least, Open Office doesn't.

    What?
    ZDNet Gravatar
    KTLA
    03/10/2010 12:46 PM
  • OpenOffice 3.0 does
    OpenOffice 3.x does open docx etc...

    see www.openoffice.org/dev_docs/features/3.0/
    ZDNet Gravatar
    thedavidmckenzie
    03/10/2010 01:54 PM
  • RE: Microsoft plugs dangerous Excel security holes
    Big Microsoft screw-up?
    MS auto-updated my 2007 Office Pro with 2 separate updates on 3-9-2010. After this I could not open any files / applications despite all carefull steps and on-line tech support. Finally, I uninstalled the 2 "updates". All applications now execute properly.
    My O.S. is Vista - 64 bit. This has never happened before - since the onset of Office products... even.
    DParker
    ZDNet Gravatar
    Datalp
    03/11/2010 09:25 PM
  • That's Microsoft's way of saying..
    .."It's time to buy the next version of Office, hurry up!".
    ZDNet Gravatar
    AzuMao
    03/11/2010 11:03 PM

Talkback - Tell Us What You Think

advertisement

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
advertisement