No Patch For Excel Zero-Day Flaw

← Back to Stories (view on slashdot.org)

No Patch For Excel Zero-Day Flaw

Posted by timothy on Thursday March 5, 2009 @09:18AM from the excel-lent dept.

CWmike writes "Microsoft said today that it will deliver three security updates on Tuesday, one of them marked 'critical,' but will not fix an Excel flaw that attackers are now exploiting. 'It doesn't look like we're going to see patches for any open Microsoft security advisories,' said Andrew Storms, director of security operations at nCircle Network Security, pointing to three that have not yet been closed. Those include two advisories issued last year — one from April 2008, another from December — and the Excel alert published last week. 'I'm not really surprised that the Excel vulnerability won't be patched, what with the timeline,' said Storms, 'but the others have been open for a long time.'"

52 comments

HAHAHAHHA by Culture20 · 2009-03-05 09:20 · Score: 3, Interesting

I would be laughing if I didn't have to support MS Office users occasionally. Did they really have to announce that they weren't going to patch excel?
1. Re:HAHAHAHHA by Em+Emalb · 2009-03-05 09:57 · Score: 0
  
  No, they just aren't doing it this time around. But that doesn't fill the requisite MS bashing quota.
  
  --
  Sent from your iPad.
2. Re:HAHAHAHHA by Vancorps · 2009-03-05 10:00 · Score: 2, Informative
  
  Honestly, do you really allow excel documents to come from the outside? This is why companies have secure transfer facilities for items which could be dangerous if accepted from any random party.
3. Re:HAHAHAHHA by Culture20 · 2009-03-05 10:27 · Score: 1
  
  Some businesses require high degrees of personal computing freedom. Thankfully, this often translates into "you break it, you bought it", but I kind of feel like a doctor watching his patients go against sound medical advice.
4. Re:HAHAHAHHA by Vancorps · 2009-03-05 10:38 · Score: 1
  
  Fair enough, some businesses don't have the technical staffing to deploy it either. It does effectively fight the problem though which is a shame since more companies don't do it.
5. Re:HAHAHAHHA by Bert64 · 2009-03-05 23:56 · Score: 1
  
  Most companies do, it is common for companies to send ms binary formats over the internet, eg via email, and blocking them would disrupt things...
  But i agree, it is stupid to receive such files from the outside.. Filtering should be set up to only allow known documented formats, and then parse these formats to validate them against the spec, possibly opening and resaving them in the process to strip out anything malicious (doing this breaks the jpeg exploits that floated around a couple of years ago for instance)...
  Not foolproof, but will strip most things and make it much harder to get malicious code through.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
6. Re:HAHAHAHHA by hesaigo999ca · 2009-03-06 01:41 · Score: 1
  
  Problem is that an email infected with a virus coming from within your own companies firewall,
  means someone's system was infected (using those stupid screensavers again?)
  and now has propagated to excel files within the network , on the servers, or on local pcs.
  You have no idea how many excel files get transfered within a company during the day that does not come from the outside, but could be infected.
The problem with excel: being mission critical by Slumdog · 2009-03-05 09:22 · Score: 5, Insightful

OK, you may disagree, but I've worked at banks and found that Excel use is widespread in mission critical applications, research, trading, and what not. Its like the swiss army knife for non-programmers engaged in decision making. They don't care about security issues (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

The philosophy for these situations is, 'if its not broken, don't fix it'. As long as Excel remains usable for corporate clients, upgrades and bug fixes will trickle is a slow rate.

--
FreeBSD bounties
1. Re:The problem with excel: being mission critical by morgan_greywolf · 2009-03-05 09:48 · Score: 5, Insightful
  
  Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?
  
  --
  My blog
2. Re:The problem with excel: being mission critical by Slumdog · 2009-03-05 09:51 · Score: 2, Interesting
  
  Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?
  did I say they were intelligent?
  
  --
  FreeBSD bounties
3. Re:The problem with excel: being mission critical by Em+Emalb · 2009-03-05 10:01 · Score: 1
  
  (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)
  Maybe that's the problem.
  
  --
  Sent from your iPad.
4. Re:The problem with excel: being mission critical by Slumdog · 2009-03-05 10:38 · Score: 1
  
  (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)
  Maybe that's the problem.
  Now! thats what I call attention to detail! Have you thought, it could be the problem that caused other problems? Remember SocGen?
  
  --
  FreeBSD bounties
5. Re:The problem with excel: being mission critical by mbooth9517 · 2009-03-05 11:47 · Score: 1
  
  Why do you think that people are unintelligent if they can't program?
  And incidently, I think the decision makers at the banks have made some smart decisions from their perspectives haven't they? after all they are still coming away with millions.
6. Re:The problem with excel: being mission critical by morgan_greywolf · 2009-03-05 14:23 · Score: 1
  
  Why do you think that people are unintelligent if they can't program?
  
  I don't. I think they're unintelligent if they lend money to people who can't pay it back and then package those loans up as commodities and sell them. I think that's pretty stupid, don't you?
  
  --
  My blog
7. Re:The problem with excel: being mission critical by VENONA · 2009-03-05 15:04 · Score: 1
  
  Ummm, no. They were smart enough that they could basically package *dirt* and sell it.
  The people that *bought* them were stupid. There were even Signs in the Heavens, in the form of the ratings services assigning the same ratings to some of these that they were giving to Treasury instruments. And there were *still* buyers, to the tune of untold trillions of dollars. Never underestimate the power of human greed.
  What astounds me is that the people at Moodies and the other ratings orgs aren't facing charges yet. I've not even heard that they've had to testify to Congress. Though they well could have been, and I missed it.
  
  --
  What you do with a computer does not constitute the whole of computing.
8. Re:The problem with excel: being mission critical by Bert64 · 2009-03-05 23:58 · Score: 1
  
  Excel is known to get some complex calculations wrong (plenty of documentation on google for this)... If you are using it for financial accounting you are likely to be in violation of sarbanes-oxley requirements.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
9. Re:The problem with excel: being mission critical by morgan_greywolf · 2009-03-06 01:14 · Score: 1
  
  Where there were stupid is their failure to realize that the economy is a bunch of interconnected parts. Screw others and you screw yourself.
  
  --
  My blog
10. Re:The problem with excel: being mission critical by mcgrew · 2009-03-06 04:21 · Score: 2, Insightful
  
  Considering how powerful spreadsheets (not just Excel) have been for decades, why would anyone open a spreadsheet from an untrusted source? Maybe I should RTFA, but this seems dumb.
  All of them I know of (am I out of date on this?) can open files, etc. Seems to ma a spreadsheet should do math and formatting -- and nothing else.
  Ironically, at work I get spreadsheets all the time; I have to convert between Lotus, Excel, and Quattro. I usually send a PDF as well, and more irony here; isn't there an Adobe vuln too?
  I use Star Office at home, but don't have the need for a spreadheet there. How does Star's spreadsheet fare?
  
  --
  Free Martian Whores!
What's the big deal??? by Anonymous Coward · 2009-03-05 09:25 · Score: 2, Funny

So you receive a virus riddled Excel spreadsheet, open it, the virus infects your system, and what...your system runs as shitty as it always did, the uptime and stability go from crapsville to shitycity, the OS is still as sluggish as it's always been. I mean, hell, there's even a shot that the virus will make things a little better. At least maybe you'll get occassional porn popups from the system tray, and your IE home page will be redirected to an asian teen movie site. I'd say it's a net win.
But let's not forget... by Anonymous Coward · 2009-03-05 09:40 · Score: 0

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.
1. Re:But let's not forget... by morgan_greywolf · 2009-03-05 09:45 · Score: 1
  
  According to Microsoft, they have a better track-record at fixing bugs faster than Linux.
  Well, they seem to beat the hell out of OpenOffice.org, anyway. There's a bug in Calc that's been there for like...years now. OTOH, it's not a security bug, at least. ;)
  
  --
  My blog
2. Re:But let's not forget... by lordtoran · 2009-03-05 10:29 · Score: 0, Redundant
  
  According to Microsoft , they have a better track-record at fixing bugs faster than Linux.
  Do you notice something?
  
  --
  Want to hear the voice of GOD? cat /boot/vmlinuz > /dev/dsp
3. Re:But let's not forget... by Gnavpot · 2009-03-05 10:40 · Score: 4, Informative
  
  According to Microsoft, they have a better track-record at fixing bugs faster than Linux.
  
  I assume you were funny, but in case you were not:
  Microsoft counts from the day they publicly confirm the existence of a bug.
  Most others counts from the day the bug was publicly known.
  So if Microsoft delay the confirmation of a publicly known bug, the numbers will work in their favour.
4. Re:But let's not forget... by Anonymous Coward · 2009-03-05 13:11 · Score: 0
  
  Microshit strikes again.
5. Re:But let's not forget... by Anonymous Coward · 2009-03-05 13:24 · Score: 0
  
  Confirmation bias?
6. Re:But let's not forget... by JohnBailey · 2009-03-05 13:30 · Score: 1
  
  According to Microsoft, they have a better track-record at fixing bugs faster than Linux.
  Well they would do. they use a different track.
  
  --
  It is difficult to get a man to understand something when his job depends on not understanding it.
7. Re:But let's not forget... by Anonymous Coward · 2009-03-05 14:23 · Score: 0
  
  [Citation Needed]
8. Re:But let's not forget... by Bert64 · 2009-03-06 00:04 · Score: 1
  
  There are bugs in MS products that have been there for years too, some of them are even security related...
  Word had a bug since 97 whereby the macro function for counting lines ignored lines with bullet points on them, but when you came to insert to a particular line it counted bullet points and so would put stuff in the wrong place... They fixed it in 2007 with a security hotfix for word 2003 (wtf was a fix like this doing in a security hotfix?), but 2007 remained broken (may have been fixed by now, but i've not been forced to use it since then.
  There is the SMB bug that was publicised recently, supposedly fixed a couple of months ago but the original bug was reported in 2001... This one was security related too!
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:quickly bash them... by Anonymous Coward · 2009-03-05 09:41 · Score: 1, Informative

Fair enough. On your way out don't let the door hit you where the lord split you.
Re:quickly bash them... by Anonymous Coward · 2009-03-05 09:46 · Score: 0

And yet you continue to not only read it but to take the time to comment.
good for amerika by Robert+Halcombe · 2009-03-05 09:48 · Score: 1

My russian friends can make zero day exploits all day long. It's good for the economy. Keeps you silly american busy. I love amerika robert halcombe rhalcom@sovgrp.com

--
Need a Russian bride? I have a large supply in a warehouse waiting for you. I offer a great trade-in plan too! Robert H
Re:quickly bash them... by Anonymous Coward · 2009-03-05 09:51 · Score: 0

har har it's funny because it's like what you think Slashdot is like.
I've only seen the topic of this article maybe 4 times since it became an issue. Find a better example.
Re:How does this affect us? by Anonymous Coward · 2009-03-05 09:52 · Score: 1, Insightful

If you don't even know that corporations still use it, why would I trust your advice? You're obviously stupid.
I love Linux and Open Source, but posts like this really piss me off.
Put it into perspective... by Anonymous Coward · 2009-03-05 09:54 · Score: 2, Funny

I have an excel spreadsheet that shows the history of such an exploit. Please open the following...
Does this affect Open Office Calc & Apple Numb by Neanderthal+Ninny · 2009-03-05 09:55 · Score: 1

I wonder if any one has tested this exploit on Open Office Calc, Apple Numbers and other MS Office compatible applications?
Re:How does this affect us? by Vancorps · 2009-03-05 09:59 · Score: 1

As much as I don't like the idea of replacing Microsoft on the desktop with any Linux I gotta appreciate the name.
Big Buck Hunter Safari for the win! The original is too easy by comparison.
No patch for... by iFiLa · 2009-03-05 10:09 · Score: 1

Ha! Skimming through the subject lines, I thought this post read "No Patch For Adobe Zero-Day Flaw".
Re:quickly bash them... by larry+bagina · 2009-03-05 10:17 · Score: 2, Interesting

Too late

--
Do you even lift?
These aren't the 'roids you're looking for.
Re:Does this affect Open Office Calc & Apple N by Anonymous Coward · 2009-03-05 12:14 · Score: 1, Informative

Won't work as-is, and I've never heard of an exploit being successfully 'ported' to OO or whatever. XLS is like the other "classic" office formats basically just a serialised object memory dump, which is why it's such a horrific mess and full of vulnerabilities. However the vulnerabilities always seem to be overwrites dependent on the exact memory structure that the office parser produces, rather than generalised "whoops we passed user input to an exec()" type ones.
zero-day? by Mr+44 · 2009-03-05 13:57 · Score: 1

Can we stop using the term "zero-day"? It is supposed to refer to malware that is released the same day the exploit becomes public knowledge. At this point, the excel bug still may not be fixed, but its been a heck of a lot more than zero days since it was publicized...
Any info on *what* is the flaw? by Anonymous Coward · 2009-03-05 14:31 · Score: 0

I'm sorry but can someone tell me what the actual flaw in Excel is? The articles just talk about who found it, who is attacked, or not, but no concrete hint as to the nature of the problem.
In other words, what exactly is it the patch should change?
Re:How does this affect us? by colinrichardday · 2009-03-05 15:40 · Score: 1

What? Just a CD, not a DVD?
Re:Does this affect Open Office Calc & Apple N by Bert64 · 2009-03-06 00:06 · Score: 1

Since OO is based on reverse engineering, it has a far more robust parser for the MS formats... Because they don't know what to expect, their parser is much better at handling unexpected data.. This is also why OO is often much better at opening damaged files.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
microsoft is a monopoly by d_leiderman · 2009-03-06 02:11 · Score: 1

This just proves that being a monopoly allows you to ignore your users.
Excel is a major tool in many corporates, and having such an exploit can make havoc.
no the least, this shows that making your own rules can help you claim whatever you want - time to fix / number of vulnerabilities, etc.
Design to last - blog on system engineering
Re:quickly bash them... by mcgrew · 2009-03-06 02:48 · Score: 1

suck.com did one a few years ago called "suckdot", it was hilarious. Tux wearing a turban and wielding a scimitar was priceless! I wish I could find it.
There are two uncyclopedia articles about slashdot, there's slashdot.org, a parody of slashdot, and slashdot (country).
From the parody (formatted to look like slashdot):

Jump to: navigation, search
Slashdot
News for nerds. Stuff that is unimportant and pulled from various web sites across the internets and really doesn't matter all that much.
Userpage | Preferences | Subscribe | Why should you pay us even more? | Are you sure you don't want to pay us? | Logout | Come on, just try subscribing!
Slashdot journal entries can be automagically submitted as stories! No, we aren't kidding! You could submit a story to us!!
The next Slashdot story will be ready soon, but guess what?! SUBSCRIBERS can beat the rush and pay us to see it early!!
You have not meta-moderated recently! Moderate our moderators, and then get moderated! Great fun, yes?
You have found the marble in the oatmeal. You get to take a drink from the Firehose! (I don't know what that means, I've just always wanted to put that phrase on top of the Slashdot front page. So here it is.)
You have 5 Moderation Points! Use 'em or lose 'em! But don't use them in threads you actually want to post in okay? And use them before 3 days is up, or else they will be gone. 3 days, 5 points, GO!
Ask Slashdot: Network problems and upgrades
Posted by Konk
from the it-doesnt-work-pause-NET! dept.
c1337us asks:
"I recently purchased an expensive network router for the small business firm where I am the head of the IT department. Unfortunately, I have no clue how to set it up, much less a basic understanding of networking principles. First of all, could someone explain to me what exactly a socket is and second, where can I find this alleged "ether"-net I hear so much about? Will that solve my problems?"
itsatrap, network, router, slownewsday, loltag, whatcouldpossiblygowrong (tagging beta)<snip>

From slashdot (country)

"Netcraft confirms it - Slashdot *is* filled with Linux fanboys." ~ Bill Gates on Slashdot
"No good editors like Kuro5hin has, No nice layout like Digg.com, Lame !!!."~ CmdrTaco on Slashdot
"In Soviet Russia, slashdot trolls YUO!." ~ Russian Reversal on Slashdot
"On the streets these days, a dime bag of kittens costs a pretty penny." ~ Oscar Wilde on Slashdot's "offtopic" moderation
The Sovereign State of Slashdot is an americanized independent territory roughly located between the Republic of Pakistan and India. The citizens of this unincorporated area, commonly referred to as "dotheads" due to the mark of the beast prominently displayed upon their foreheads, have been denied membership in the UN due to their radical viewpoints since the war of 1912. As a result,Slashdot joined the UN's arch-enemy, NATO, following its invasion by Oprah Winfrey in the Gulf War. The current Prime Minister of Slashdot is CmdrTaco (pronounced KIM-dir-TAY-co).
<snip>Trolls
It is common knowledge that Slashdot is populated entirely by trolls, and no other form of life exists within its borders. The trolls constantly go around beating up other trolls through the use of arcane rituals such as '-1 Offtopic'. It seems that the Slashdottians do nothing except this constant abuse of each other (moderation in Slashdottese, although a more complicated version exists, called metamoderation, generally regarded to be one of the most evil products of our era).
[edit] Economy
The currency of Slashdot is the Karma Point (which recently replaced the archaic reputation point used under the barter system). In 2001, the Karma Point was cursed by an evil witch who got modded flamebait. Expert moneyologists agree that the curse is a serious matter... <snip>

--
Free Martian Whores!