Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Excel Users Susceptible To New Vulnerability

Posted by CmdrTaco on from the safer-and-safer dept.

nandemoari writes "Microsoft has warned users that yet another critical vulnerability has been found in its popular Office spreadsheet program Excel. The flaw could allow remote hackers to open and run malicious code on an unsuspecting user's computer through an infected spreadsheet file. Products affected include Office 2000, Office 2002, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, and the Open XML File Format Converter for Mac."

64 comments

  1. dupe? by pak9rabid · · Score: 4, Informative

    http://it.slashdot.org/article.pl?sid=09/02/24/1938259

    1. Re:dupe? by Anonymous Coward · · Score: 0

      From TFA:

      "Microsoft has warned users that yet another critical vulnerability"

    2. Re:dupe? by maxume · · Score: 5, Informative

      Don't be a dildo. The article linked in the summary points to an article on Ars that points to this page:

      http://www.microsoft.com/technet/security/advisory/968272.mspx

      The link in the comment you replied to points an infoworld article that points to this page:

      http://www.microsoft.com/technet/security/advisory/968272.mspx

      The articles are about the same issue.

      --
      Nerd rage is the funniest rage.
    3. Re:dupe? by Camann · · Score: 1

      No, I followed links all the way to the security advisories. They are the EXACT same vulnerability. http://www.microsoft.com/technet/security/advisory/968272.mspx

      --
      I can't believe you don't know what a Hasemalphaginnojinglanaporphomism is.
    4. Re:dupe? by pak9rabid · · Score: 1, Redundant

      No. Re-read the first sentence of the summary and pay attention to a very important qualifier which I will bold for you.

      Nice try, but if you actually did 1 min of research you'd realize they're referencing the same issue..

    5. Re:dupe? by LostCluster · · Score: 1

      This is one of those stories that deserves a dupe at a different time of day so that it's seen by more readers. It's getting no mainstream coverage, yet almost as many businesses and students who use Windows also use Excel and this is a gaping zero-day problem. Same advice as Access files now applies to Excel... you may be opening an unknown executable by opening a crafted-to-do-so .xls file.

    6. Re:dupe? by smoker2 · · Score: 1

      I'm sorry, but isn't EVERY story about a Microsoft 0-Day a dupe ?

  2. Really?? by aztektum · · Score: 3, Funny

    I hadn't heard

    --
    :: aztek ::
    No sig for you!!
    1. Re:Really?? by tvjunky · · Score: 1

      Oh, have you not heard? It was my understanding that everyone had heard.

  3. Leave it to Microsoft... by Anonymous Coward · · Score: 2, Insightful

    ... to create a vulnerability on my Mac.

    1. Re:Leave it to Microsoft... by emocomputerjock · · Score: 5, Funny

      Consider it revenge for Quicktime.

    2. Re:Leave it to Microsoft... by D+Ninja · · Score: 1

      It's times like these I wish the mod points went higher than 5.

      Thank you very much for a good laugh. QuickTime = The Plague on my computer. How I wish I could get rid of it.

    3. Re:Leave it to Microsoft... by Anonymous Coward · · Score: 0

      Quicktime Alternative

    4. Re:Leave it to Microsoft... by InsertWittyNameHere · · Score: 1

      I for one applaud them for finally achieving compatibility between OS's and Office versions.

    5. Re:Leave it to Microsoft... by D+Ninja · · Score: 1

      Thanks for the suggestion, but, unfortunately, I *do* use and like iTunes. The whole "being bundled together" thing is what I can't get around.

  4. And people wonder why... by Indy1 · · Score: 3, Insightful

    I choose to use open office, even though I get M$ office free through work.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
    1. Re:And people wonder why... by Anonymous Coward · · Score: 0

      sup dude. what's the website number for open office?

    2. Re:And people wonder why... by Anonymous Coward · · Score: 0

      204.16.104.2

    3. Re:And people wonder why... by hairyfeet · · Score: 2, Insightful

      The problem with OO.o is while Writer can take the place of Word for most folks, unless you work in an office that needs those little functions that Word does that Witer don't, according to everyone I've talked to that uses spreadsheets Calc is a freaking bad joke compared to Excel.

      Now since I am not a spreadsheet user I can't give you a nice bulletpoint list, although I'm sure there are plenty here who could, but I have worked with enough SOHOs and SMBs to know that there is NO WAY in hell to replace Excel with Calc. They simply aren't in the same league. Maybe now that they seem to have Writer down they will devote the resources to bringing Calc up to par, but with this economy that is doubtful.

      So while I am glad you have the ability to switch, I'm willing to bet you do the vast majority of work in Writer and NOT in Calc. That is why I give OO.o free to my home customers but not to my business ones. Because for home users OO.o is a quite capable MS Office replacement. Businesses? Not so much.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  5. So is it still.... by sunking2 · · Score: 1

    a 0 day exploit?

  6. OO to the rescue? by Joska · · Score: 2

    Does this mean that OpenOffice is the workaround for the moment?

    1. Re:OO to the rescue? by Rary · · Score: 3, Informative

      Does this mean that OpenOffice is the workaround for the moment?

      Well, that, or not opening unexpected spreadsheets emailed to you by random strangers.

      --

      "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

    2. Re:OO to the rescue? by Jaden42 · · Score: 1

      Well, that, or not opening unexpected spreadsheets emailed to you by random strangers.

      Or not have friends who do the same thing.

      And they'll tell two friends... and they'll tell two friends..

    3. Re:OO to the rescue? by cortesoft · · Score: 3, Informative

      The problem with this strategy is the the emails are often times from people you know. These don't normally spread because some spam farm is emailing random addresses, but by having an infected person's computer email all the addresses in their address book (people you know) a copy of the virus. So basically the advice should be to never open unexpected spreadsheets from ANYONE, not just random strangers.

    4. Re:OO to the rescue? by Rary · · Score: 1

      Actually, in this case, the attacks have mainly been directed at specific targets. Nevertheless, if someone does decide to add the old "email to everyone in contact list" functionality to this, you're still safe as long as you ignore any strange emails with spreadsheets attached, even if they come from someone you know.

      Either way, as an Excel user, I can't say I'm going to lose any sleep over this one.

      --

      "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

    5. Re:OO to the rescue? by this+great+guy · · Score: 1

      Because, you know, malware sending spams looking as if they came from your acquaintances do not exist at all.

    6. Re:OO to the rescue? by Joska · · Score: 1

      Since this scored a 5, it may be helpful to define random strangers and compare the relative threat they pose with the other types. Being a simple soul, it had already occurred to me to avoid opening attachments from unknown sources, but this new level of complexity has me intrigued.

      Perhaps I'm being pedantic, in which case, I'm sorry. ;)

    7. Re:OO to the rescue? by Haiyadragon · · Score: 1

      Good thing I only know very specific strangers.

    8. Re:OO to the rescue? by ACMENEWSLLC · · Score: 1

      Yes, people you know. For example, per my antivirus software the last XLS document on this page;
      http://www.insurance.mo.gov/industry/forms/index.htm

      has MS08-057 exploit in it. My local state government.

    9. Re:OO to the rescue? by Bert64 · · Score: 1

      Or if your on a corporate network where you have file shares, not opening any file on the public file shares incase another user has been infected and spread it to public shares...

      Or not opening expected spreadsheets from trusted sources because most malware tries to send itself to addresses found in your address book or inbox...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    10. Re:OO to the rescue? by Bert64 · · Score: 1

      Or until someone implements functionality to "infect any spreadsheet on the local machine"...
      That way all it takes is for someone you know to be infected, and the next time they send you a spreadsheet for whatever reason it's infected.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  7. Adobe is having a party by microbee · · Score: 1

    Pewwww, finally Microsoft comes to the rescue and takes the heat from us, as always. Bob, send the excel team a cake.

    1. Re:Adobe is having a party by Anonymous Coward · · Score: 0

      Bob: "Sorry Jim, the cake is a pie."

  8. Dupe submitter by Volante3192 · · Score: 1

    Second dupe today from nandemoari going to infopackets.com.

    Someone's fishing for traffic here.

    1. Re:Dupe submitter by Anonymous Coward · · Score: 0

      Heck, Taco admitted the dupe, and published it anyway. Methinks someone's not just fishing for traffic; someone payed sourceforge for traffic.

  9. And we all know that the "From" field in emails... by cpu_fusion · · Score: 2, Insightful

    ... is a reliable indicator of who sent the email... ;-)

  10. application or OS flaw .. by viralMeme · · Score: 1

    Is this a flaw in the Operating System or a flaw in the application like the Adobe one and who is to blame this time ...

  11. Re:And we all know that the "From" field in emails by Rary · · Score: 1

    ... is a reliable indicator of who sent the email... ;-)

    Well, even if it appears to come from someone you know, it's not that difficult to avoid.

    Here's a test. Would you open the attachment if you received the following email from your mom?

    From: Mom
    Subject: info
    Attachment: morgage.xls
    here is the info you reqeusted

    --

    "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

  12. They can do better, here's proof. by b4dc0d3r · · Score: 3, Informative

    http://support.microsoft.com/kb/935865

    The Microsoft Office Isolated Conversion Environment (MOICE) feature that is added to the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats is used to more securely open Word, Excel, and PowerPoint binary format files.

    They have the code to do this securely... but can't implement it because users want the features which allow security holes. Disable macros and probably internet connections too, convert the file, then open it. Look at all the "issues", which are essentially MS saying these are dangerous (but still in the design).

    • After you use MOICE to convert a file, the default save location is the %temp% folder when you try to save the file. Also, the %temp% folder is the default folder when you try to open a file.
    • Anyone who has access to the computer can view the files in the %temp% folder.
    • When you use MOICE to convert a file, the converted file is saved in the %temp% folder. The converted file is not deleted from the %temp% folder when the file is closed. If a file is opened multiple times, the file is converted multiple times. Additionally, more than one copy of the file is saved in the %temp% folder. If you have made changes to the first copy of the document, the second copy of the document will not contain the changes.
    • By default, the applicable program opens after MOICE finishes a file conversion. Then, the converted document is opened. (...snipped...)
    • Smart tag data is stripped from PowerPoint presentations when you use MOICE to convert a presentation that contains smart tags.
    • Macros are stripped from files when you use MOICE to convert files that contain macros.
    • When you open a file by using a link inside a file that has been converted by MOICE, the linked file is not converted by MOICE.
    • Embedded documents cannot be converted.
    • Documents that use rights management cannot be converted.
    • Documents that use passwords cannot be converted.
    • You cannot use the Edit Document in Microsoft Office Program_Name feature in Microsoft SharePoint when you use MOICE to convert Office files.
    • If damage exists, it will be removed from a binary Word 97-2003 Document (*.doc) file during the conversion. Therefore, the contents of the file may change unexpectedly.
  13. business risk of Open Source .. by viralMeme · · Score: 1

    "Our own research, however, has concluded that open source software exposes users to significant and unnecessary business risk, as the security is often overlooked, making users more vulnerable to security breaches,"

    "That's not to say that commercial software isn't without risks, but any flaws on commercial applications tend to get patched a lot faster than on open source, as the vendors producing the software have a lot more to lose than an open source programmer,"

    "New variant of Conficker worm circulates"

    1. Re:business risk of Open Source .. by Anonymous Coward · · Score: 0

      And this coming from a website that actually writes articles about the results of Slashdot polls.

      Do not feed the trolls... do not feed the trolls... do not feed the trolls...

    2. Re:business risk of Open Source .. by Anonymous Coward · · Score: 0

      Keep repeating the same lies Mr. Microsoft employee.

      We still wont believe them, but you lessen your credibility with each telling, ask the republicans how that's working out for them.

  14. Re:And we all know that the "From" field in emails by BobReturns · · Score: 1

    Yes, because I know how bad my mum is at spelling - the misspelling of mortgage is a dead give away that it's her.

  15. meta-Dupe by Gothmolly · · Score: 1

    http://it.slashdot.org/article.pl?sid=09/02/25/024211

    Yet another case where a document has blurred into an application, the way Windows blurred from a WM to an OS.

    DONT CROSS THE STREAMS! Curse you von Neumann.

    --
    I want to delete my account but Slashdot doesn't allow it.
  16. Re:virus protection for mac by BobReturns · · Score: 0

    You don't, as long as you don't install office.
    Pretty much all the problems to date have been the result of office components being compromised.

  17. Re:virus protection for mac by Anonymous Coward · · Score: 1

    So why does Secunia have 861 OSX vulnerabilities listed? And if "pretty much" all the problems have been external why does Apple release patches so frequently? Do they patch other peoples code?

  18. Re:And we all know that the "From" field in emails by PitaBred · · Score: 1

    You must not know very many people. I have gotten many valid messages of that caliber of spelling and grammar. Hell, I'm lucky if they even have a subject sometimes.

    --
    My blog. Good stuff (when I remember to update it). Read it.
  19. Re:virus protection for mac by lord_rotorooter · · Score: 2

    As with any religion those facts are swept under the table to better keep the faith. Only think happy thoughts, don't let reality distract the warm fuzzy feelings...

  20. Calc has issues by Nerdposeur · · Score: 1

    Oo Writer is fine, and I use Oo exclusively at home on the principle that document standards should be open.

    But yes, I use Excel at work and Calc at home, and Calc is very annoying by comparison.

    For one thing, Excel will let you set a default number format (currency, integer, date, etc) on a whole row or column and whatever you enter thereafter will use that format. I try that with Calc, and it never works. Not only does it not remember the setting, but it forces me to apply the formatting to EACH individual cell AFTER entering the info.

    And all I'm doing is keeping a simple balance sheet.

    1. Re:Calc has issues by mysticgoat · · Score: 1

      I'm not sure what you are doing. But you are doing it wrong.

      I've been using OOoCalc for a little over a year. It does have some annoyances, but loss of pre set formats is not one of them. I suspect that there is a default setting or preference that governs this.

      Personal annoyances:

      1. Cursor control: If I scroll off the screen while highlighting, sometimes I get into a runaway scrolling situation. This is on Ubuntu, and it might not belong to OOo. Workaround: Don't do that.
      2. OOoCalc likes semi-colons in places where Excel likes commas. Workaround: Let old habits die.
      3. Some of the old keyboard shortcuts are different or don't exist. Workaround: Let old habits die.
      4. There are a few more, but they all come down to less trouble going from Excel to OOoCalc than I had going from Lotus 1.2.3 to Excel.

      OOoCalc looks more powerful in terms of graphing, but I haven't done enough with either to say for sure.

      I stopped using spreadsheet macros when I went from Excel for DOS to Excel under Windows. With WinXL the security risks were too great. Now I'm thinking spreadsheet macros are probably useable again, but I'm out of the habit.

    2. Re:Calc has issues by Nerdposeur · · Score: 1

      I'm not sure what you are doing. But you are doing it wrong.

      What I am doing is highlighting some cells, and going to Format, Cells, and choosing a format. (I'm basing this on Excel, which I have in front of me right now, but I believe the steps are the same in Oo.) How is that not the right way to format cells?

      I've been using OOoCalc for a little over a year. It does have some annoyances, but loss of pre set formats is not one of them. I suspect that there is a default setting or preference that governs this.

      There is a setting that, by default, does not let you format all the cells you select by choosing Format, Cells? If that is correct, I can't imagine why such a setting exists.

    3. Re:Calc has issues by mysticgoat · · Score: 1

      Sounds like possibly the formating you have set up in advance of data entry is being overwritten by the "AutoInput" reformating capability, or something like that.

      Play around with your settings under Tools/Cell_Contents and Tools/Auto_Correct. Also, look over the options in Tools/Options.

      Also, get familiar with your resources. The OOo Help system is generally more useable than MS Help ever was (it is not yet complete and some of the entries need more clarification... but the volunteers are continously improving it). There are very good support forums at OOo Support. Also, there is Solveig's blog that addresses a problem very similar to yours, as well as a lot of other things pertaining to transitioning.

      Main thing: recognize that the OOo defaults are set up to assist total n00bes (like grade school students) in making their first spreadsheets work. You are no longer in that category: you know too much. You can use the extensive OOo online community to figure out how to best control the power of OOo for your own use, but if you continue to ride that motorcycle with the training wheels still attached, yeah, you are not going to be happy.

  21. A Test Case? by Anonymous Coward · · Score: 1, Funny

    I work with security and would love to know how to craft such files for, *cough*, academic reasons. Any hints?

  22. I wonder... by AlgorithMan · · Score: 1

    I wonder what the world would be like, if the law forced every software manufacturer to notify their users about known vulnerabilities - how severe they are and how long they have been unfixed... maybe have a widget on the desktop, showing the top 20 very severe, unfixed vulnerabilities... I think I would bet my life, that windows would hardly exist on the market anymore...

    --
    The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
  23. Re:dupe? Yes: BUT, how to fix it from MS... apk by Anonymous Coward · · Score: 0

    http://www.microsoft.com/technet/security/advisory/968272.mspx

    (The possible "catch-22's" are listed on that page (which shouldn't BE any if you do what is below properly), as well as the basics, which I am putting out examples for others to use here, on how to implement this work-around from MS for this EXCEL issue - read on)

    Create the "BinaryFiles" entry, using this template (copy the contents of what's between these dashed lines into notepad.exe, save it to disk w/ a .reg extension, to open it in regedit.exe later for "merging")

    ----

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]
    "BinaryFiles"=dword:00000001

    ----

    Copy & paste THAT to notepad.exe (what's between the dashed lines above),save it to disk, & THEN?

    Open it in regedit.exe, to merge it...

    (HOWEVER - This will stop EXCEL from working though, so you need to do just a wee bit more, like so (creating an exempt folder, from w/in which you CAN run .xls files again)):

    -----

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office]

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0]

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Common]

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Common\OICEExemptions]
    "ExemptDirectory"="C:\\Documents and Settings\\APK\\My Documents"

    ----

    Again - Copy & paste THAT to notepad.exe (what's between the dashed lines above),save it to disk, & THEN?

    Open it in regedit.exe, to merge it...

    "VOILA - DONE!"

    ----

    E.G.-> My having done so here, yesterday?

    Well - I'm once again able to open Excel sheets I created back in 1997 even... as well as current Office 2003 ones I use occasionally here (not a BIG Excel user usually anymore, though, on MY part).

    IMPORTANT NOTE: Do please note, that I am using a LOCAL disk pathway, & that IF you have to use a UNC network path? I am NOT sure it will work here (that YOU have to test if you do this)...

    HOWEVER - Simply keeping the SERVER service PATCHED (vs. other recently + past executed & exploiting machinations out there today that take advantage of holes in it, such as the recent server service RPC/Port 445 vulnerability) & active, you can simply map network drives to use & assign them a driveletter & voila - SHOULD work, just as mine does here on LOCAL disks, just fine (for those that will have to use UNC paths OR mapped network drives as letters).

    APK

    P.S.=> OH, also? The Folder you edit into "ExemptDirectory" may be diff. than mine, but, it HAS to exist first, before you apply & try this... &, that is where you will have to gather all your EXCEL SPREADSHEET files & place them into said folder... or, you won't be able to use them, via opening them in EXCEL from that folder!

    (Common-sense, yes I know, but worth noting just in case)... apk

  24. Re:dupe? Of course. Typical arstechnica puke by Anonymous Coward · · Score: 0

    Arstechnica: Always a day late and a dollar short - what do you want from a pack of unqualified fakes that pretend to know about computing after all. Look at Jeremy Reimer who has no degree, no certifications, and certainly no years to decades of doing the job in the arena of computer sciences. He's one of their top dogs there and if that doesn't give you an indicator of why all they do is spit back news others have already put out then nothing else will. Reimer and his friends Jay Little, Jarrett DeAngelis were also all caught impersonating others online and had law enforcement called on them, as well as their isp for email harassment, libel, and other misdoings over at windowsitpro magazine's forums a few years ago. It was especially funny when Jay Little literally claimed to be an exchange expert and then was caught with his pants down on a point about exchange being fixed when it freezes due to memory fragmentation and how memory optimization programs could fix that. Some experts over there at arstechnica. Experts in their own minds only.