Excel Displays Three Holes

Recently, Microsoft has released the largest of its batches of security patches including one for a flaw in Word. However, hackers and researchers have found a series of three holes involving Excel, still to be patched.

When a user opens a 'doctored Excel sheet' from a website, or from an attachment sent with an e-mail, two of the bugs allow launch attacks. One of them is related to the method Excel tackles memory. It could permit a hacker to take full control of your computer. It strikes Excel versions 2000 via 2003 for Windows, Excel 2004 and v. X for Mac.

According to Symantec, the security hole is due to Excel's failure to check data entered by user before storing it in the limited 'memory buffer'. The flaw makes Excel 2003 and Excel XP vulnerable and there is possibility of it affecting other versions.

The second problem, as per Microsoft, arises from an infected link in a spreadsheet, which is a result of a deeply embedded bug in that part of Windows, which handles hyperlink. The third flaw relates to the use of an Office feature by the attackers. The feature can be applied to encrypt a 'doctored Flash movie' in an Excel spreadsheet or other 'Office' document.

Attackers could exploit the flaw in Excel 2000, 2002 and 2003; Office 2000, XP and 2003 to run arbitrary commands by enticing a user to open a specifically designed Excel file.

As per Microsoft, its patches that fully protect the Windows System already have an inbuilt "kill bit" made to protect from malicious codes of the third kind. But eventually one attack is through 'Excel-memory related' bug. The 'proof-of-concept' code is already present for the second, hyper-linking loophole.

There is a warning for users of Excel 2002 (incorporated with Office XP) or Excel 2003 (incorporated with Office 2003) to apply caution before opening any attachment. Customers need to adjust their 'Access Control List' (ACL) of a registry key that can halt exploitation of Excel 2003. Microsoft's team is working on updates to resolve the issue.

Related article: Excel Spam Forms the Latest Trend

» SPAMfighter News - 10/12/2006