MS Excel Users Susceptible To New Vulnerability

nandemoari writes "Microsoft has warned users that yet another critical vulnerability has been found in its popular Office spreadsheet program Excel. The flaw could allow remote hackers to open and run malicious code on an unsuspecting user's computer through an infected spreadsheet file. Products affected include Office 2000, Office 2002, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, and the Open XML File Format Converter for Mac."

dupe?

[pak9rabid]

http://it.slashdot.org/article.pl?sid=09/02/24/1938259

Re:dupe?

[maxume]

Don't be a dildo. The article linked in the summary points to an article on Ars that points to this page:

http://www.microsoft.com/technet/security/advisory/968272.mspx

The link in the comment you replied to points an infoworld article that points to this page:

http://www.microsoft.com/technet/security/advisory/968272.mspx

The articles are about the same issue.

Re:OO to the rescue?

[Rary]

Does this mean that OpenOffice is the workaround for the moment?

Well, that, or not opening unexpected spreadsheets emailed to you by random strangers.

Re:OO to the rescue?

[cortesoft]

The problem with this strategy is the the emails are often times from people you know. These don't normally spread because some spam farm is emailing random addresses, but by having an infected person's computer email all the addresses in their address book (people you know) a copy of the virus. So basically the advice should be to never open unexpected spreadsheets from ANYONE, not just random strangers.

They can do better, here's proof.

[b4dc0d3r]

http://support.microsoft.com/kb/935865

The Microsoft Office Isolated Conversion Environment (MOICE) feature that is added to the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats is used to more securely open Word, Excel, and PowerPoint binary format files.

They have the code to do this securely... but can't implement it because users want the features which allow security holes. Disable macros and probably internet connections too, convert the file, then open it. Look at all the "issues", which are essentially MS saying these are dangerous (but still in the design).

• After you use MOICE to convert a file, the default save location is the %temp% folder when you try to save the file. Also, the %temp% folder is the default folder when you try to open a file.
• Anyone who has access to the computer can view the files in the %temp% folder.
• When you use MOICE to convert a file, the converted file is saved in the %temp% folder. The converted file is not deleted from the %temp% folder when the file is closed. If a file is opened multiple times, the file is converted multiple times. Additionally, more than one copy of the file is saved in the %temp% folder. If you have made changes to the first copy of the document, the second copy of the document will not contain the changes.
• By default, the applicable program opens after MOICE finishes a file conversion. Then, the converted document is opened. (...snipped...)
• Smart tag data is stripped from PowerPoint presentations when you use MOICE to convert a presentation that contains smart tags.
• Macros are stripped from files when you use MOICE to convert files that contain macros.
• When you open a file by using a link inside a file that has been converted by MOICE, the linked file is not converted by MOICE.
• Embedded documents cannot be converted.
• Documents that use rights management cannot be converted.
• Documents that use passwords cannot be converted.
• You cannot use the Edit Document in Microsoft Office Program_Name feature in Microsoft SharePoint when you use MOICE to convert Office files.
• If damage exists, it will be removed from a binary Word 97-2003 Document (*.doc) file during the conversion. Therefore, the contents of the file may change unexpectedly.