/>
X
Business

Microsoft plugs dangerous Excel security holes

Microsoft today issued patches for seven potentially dangerous security flaws in the Microsoft Excel worksheet software
Written by Ryan Naraine, Contributor on

Microsoft today issued patches for seven potentially dangerous security flaws in the Microsoft Excel worksheet software and warned that hackers could launch remote code execution attacks if a Windows user opens a specially crafted Excel file.

The Microsoft Excel fixes headline this month's batch of Patch Tuesday updates, which also includes cover for a vulnerability in the Windows Movie Maker and Microsoft Producer 2003 programs.

[ SEE: New Microsoft IE flaw under attack ]

One of the Excel flaws -- CVE-2010-0263 -- is the first vulnerability to be addressed in the new Open XML file format.

The Excel update (MS10-017) affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007.

As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited, according to Microsoft's security response team.

[ SEE: Microsoft investigating another IE browser vulnerability ]

Although the second bulletin (MS10-016) lists Microsoft Producer 2003 in the affected products list, the company did not offer a patch for that piece of software.

Here's the explanation from Microsoft's Adrian Stone:

Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security.

Microsoft also re-released the MS09-033 bulletin to add Virtual Server 2005 to the affected products list.

Editorial standards

Related

The 19 best early Cyber Monday deals under $30
Amazon Fire TV Stick 4K

The 19 best early Cyber Monday deals under $30

Live blog: 100+ of the best early Cyber Monday deals
Large white Cyber Monday text with electronics behind it

Live blog: 100+ of the best early Cyber Monday deals

The 51 best early Cyber Monday deals on Amazon
Image of Amazon Echo Show 8 on a wooden table in front of a person cooking and folding pastry dough.

The 51 best early Cyber Monday deals on Amazon