Excel Vulnerability Affects Windows And Mac Users - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
1/16/2008
01:50 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Excel Vulnerability Affects Windows And Mac Users

A Microsoft advisory Tuesday indicated that the security risk does not appear to impact the latest Excel releases.

Microsoft on Tuesday posted a security advisory warning of a vulnerability in several versions of Microsoft Office Excel that affects both Windows and Mac OS users.

The affected versions include Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac.

Microsoft said that Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac, and Microsoft Office Excel 2003 Service Pack 3 do not appear to be vulnerable.

"At this time, Microsoft is aware of specific targeted attacks that attempt to use this vulnerability," said Tim Rains, security response communications lead for Microsoft, in an e-mail. "Microsoft is aggressively investigating the public reports and customer impact."

Because the flaw is believed not to be widely known, Microsoft considers the risk to be limited.

The attack relies on a maliciously crafted Excel file that contains malformed header information. Attempting to open the file, either through a Web browser or as an e-mail attachment, can corrupt system memory, which could give an attacker the opportunity to execute remote code on the victim's system or to obtain elevated user privileges.

"In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Excel file that is used to attempt to exploit this vulnerability," Microsoft said in its advisory. "In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's site."

Both Microsoft and US-CERT, part of the national cyber security division at the Department of Homeland Security, recommend that Microsoft Office users not open unexpected e-mail messages with attachments or messages from unfamiliar sources.

In a blog post, Microsoft said it is working on a fix that will be released either as part of its regular patch schedule or in an out-of-band release, depending on the impact of the vulnerability.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
News
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll