Excel hole opens PCs to hackers

A security hole in Microsoft Excel XP spreadsheet application could allow hackers to take over a user's PC.

Specially formed XML stylesheets can be used to fool PCs running Microsoft's latest spreadsheet application into executing rogue code.

A security hole in Microsoft Excel XP spreadsheet application could allow hackers to take over a user's PC by using specially formed XML stylesheets.

According to security expert Georgi Guninski, the problem occurs when a user opens an Excel (.xls) spreadsheet file and chooses to view it with an XML stylesheet. If the XML stylesheet contains specially formed code, said Guninski in a security note on his Web site, the PC will try to run that code.

"As script kiddies know this may lead to taking full control over user's computer," said Guninski. "Excel does not give any warning to the user -- just asks whether to use the style sheet or not." However, Guninski added, by default Excel does not display spreadsheet files with the stylesheet.

On his site Guninski has posted a sample piece of code that would fool Excel XP into thinking that contains a link to a stylesheet but which in fact runs a command that lists directory contents on the user's PC.

To be safe, said Guninski, users should not use XML stylesheets. Guninski said that Microsoft was notified of the flaw on 23 May. Microsoft did not immediately respond to requests for comment.

The flaw is the latest in a slew of security alerts to hit Microsoft products. Last week the company warned Windows NT and 2000 users of a new flaw in its debugger tools that could let attackers give themselves complete control of a system once they've gained basic access to that system.

A week before, Microsoft urged Windows users to download a fix for Internet Explorer after six new flaws were found in its Web browser. The software company called three of the flaws critical, but only one of them--a cross-site scripting error that affects only Internet Explorer 6.0--would allow an attacker or a worm to run a program on the victim's computer.