madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft plugs dangerous Excel security holes

By | March 9, 2010, 12:58pm PST

Summary: Microsoft today issued patches for seven potentially dangerous security flaws in the Microsoft Excel worksheet software

Microsoft today issued patches for seven potentially dangerous security flaws in the Microsoft Excel worksheet software and warned that hackers could launch remote code execution attacks if a Windows user opens a specially crafted Excel file.

The Microsoft Excel fixes headline this month’s batch of Patch Tuesday updates, which also includes cover for a vulnerability in the Windows Movie Maker and Microsoft Producer 2003 programs.

[ SEE: New Microsoft IE flaw under attack ]

One of the Excel flaws – CVE-2010-0263 — is the first vulnerability to be addressed in the new Open XML file format.

The Excel update (MS10-017) affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007.

follow Ryan Naraine on twitter

As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited, according to Microsoft’s security response team.

[ SEE: Microsoft investigating another IE browser vulnerability ]

Although the second bulletin (MS10-016) lists Microsoft Producer 2003 in the affected products list, the company did not offer a patch for that piece of software.

Here’s the explanation from Microsoft’s Adrian Stone:

Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security.

Microsoft also re-released the MS09-033 bulletin to add Virtual Server 2005 to the affected products list.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Microsoft Corp., Microsoft Excel, Microsoft Office, Security, Office Suites, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 16 Talkback(s)

  • In before Loverock somehow spins this to "Microsoft rules".


    ZDNet Gravatar
    AzuMao
    10th Mar 2010
  • @Loverock; No.
    edit:
    This was supposed to be in reply to Loverock's post.

    I think somebody deleted it, and left my post here..


    Lazy moderators.
    ZDNet Gravatar
    AzuMao
    10th Mar 2010
  • oops
    nt
    ZDNet Gravatar
    Viva la crank dodo
    10th Mar 2010
  • LOOK EVERYONE!!!*!!! HE MENTIONS ME!!!
    Need I say more? happy
    ZDNet Gravatar
    Loverock Davidson
    10th Mar 2010
  • I'm glad you asked
    No you need never say more.
    ZDNet Gravatar
    Viva la crank dodo
    10th Mar 2010
  • Yeah, I'm sure it has nothing...
    to do with baiting him, right? Considering your post offered nothing on the topic at hand. Can YOU say "transparent"?
    ZDNet Gravatar
    Mr. Slate
    12th Mar 2010
  • On the contrary..
    ..he didn't this time. He usually does. I think calling it in advance took away his motivation.
    ZDNet Gravatar
    AzuMao
    12th Mar 2010
  • RE: Microsoft plugs dangerous Excel security holes
    Thank you for your sharing. chanel bags
    ZDNet Gravatar
    lovedong
    12th Sep
  • "Nothing"!?
    No other platform complies with the RIAA's demands for invasive DRM as well as Windows!

    Surely that's got to count for something?

    I mean, unless you use free copies of stuff (which is akin to murder), you're SOL if you want to watch a movie or listen to some music but don't have the latest hardware-supported DRM rootkit installed.

    And most people don't pirate, so for most people, it is very important to have an OS that complies with all the RIAA/MPAA/etc's demands, despite how ludicrous they are.


    edit:
    Okay seriously WTF!? However keeps deleting posts I've replied to, next time delete my reply too, so it doesn't look out of place. =/
    ZDNet Gravatar
    AzuMao
    10th Mar 2010
  • RE: Microsoft plugs dangerous Excel security holes
    If OpenXML is so open, why are there no other
    programs that can open .docx or .xlsx files? At
    least, Open Office doesn't.

    That said, XML is a lot more human readable, so
    if your file goes corrupt you can still find a
    way to extract some raw text.

    I wonder if the real problem is in OpenXML, or
    if it's with Microsoft Excel. After all, it
    didn't say that Word or Powerpoint were
    affected; Only Excel.
    ZDNet Gravatar
    Tynach
    10th Mar 2010
  • ???
    If OpenXML is so open, why are there no otherprograms that can open .docx or .xlsx files? At least, Open Office doesn't.

    What?
    ZDNet Gravatar
    KTLA
    10th Mar 2010
  • OpenOffice 3.0 does
    OpenOffice 3.x does open docx etc...

    see www.openoffice.org/dev_docs/features/3.0/
    ZDNet Gravatar
    thedavidmckenzie
    10th Mar 2010
  • RE: Microsoft plugs dangerous Excel security holes
    Big Microsoft screw-up?
    MS auto-updated my 2007 Office Pro with 2 separate updates on 3-9-2010. After this I could not open any files / applications despite all carefull steps and on-line tech support. Finally, I uninstalled the 2 "updates". All applications now execute properly.
    My O.S. is Vista - 64 bit. This has never happened before - since the onset of Office products... even.
    DParker
    ZDNet Gravatar
    Datalp
    11th Mar 2010
  • That's Microsoft's way of saying..
    .."It's time to buy the next version of Office, hurry up!".
    ZDNet Gravatar
    AzuMao
    11th Mar 2010
  • RE: Microsoft plugs dangerous Excel security holes
    Great!! ! thanks for sharing this information to us!
    sesli sohbet sesli chat
    ZDNet Gravatar
    efsane
    8th Apr
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here