Slashdot Mirror

← Back to Stories (view on slashdot.org)

No Patch For Excel Zero-Day Flaw

Posted by timothy on from the excel-lent dept.

CWmike writes "Microsoft said today that it will deliver three security updates on Tuesday, one of them marked 'critical,' but will not fix an Excel flaw that attackers are now exploiting. 'It doesn't look like we're going to see patches for any open Microsoft security advisories,' said Andrew Storms, director of security operations at nCircle Network Security, pointing to three that have not yet been closed. Those include two advisories issued last year — one from April 2008, another from December — and the Excel alert published last week. 'I'm not really surprised that the Excel vulnerability won't be patched, what with the timeline,' said Storms, 'but the others have been open for a long time.'"

10 of 52 comments (clear)

  1. HAHAHAHHA by Culture20 · · Score: 3, Interesting

    I would be laughing if I didn't have to support MS Office users occasionally. Did they really have to announce that they weren't going to patch excel?

    1. Re:HAHAHAHHA by Vancorps · · Score: 2, Informative

      Honestly, do you really allow excel documents to come from the outside? This is why companies have secure transfer facilities for items which could be dangerous if accepted from any random party.

  2. The problem with excel: being mission critical by Slumdog · · Score: 5, Insightful

    OK, you may disagree, but I've worked at banks and found that Excel use is widespread in mission critical applications, research, trading, and what not. Its like the swiss army knife for non-programmers engaged in decision making. They don't care about security issues (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

    The philosophy for these situations is, 'if its not broken, don't fix it'. As long as Excel remains usable for corporate clients, upgrades and bug fixes will trickle is a slow rate.

    --
    FreeBSD bounties
    1. Re:The problem with excel: being mission critical by morgan_greywolf · · Score: 5, Insightful

      Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

      --
      My blog
    2. Re:The problem with excel: being mission critical by Slumdog · · Score: 2, Interesting

      Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

      did I say they were intelligent?

      --
      FreeBSD bounties
    3. Re:The problem with excel: being mission critical by mcgrew · · Score: 2, Insightful

      Considering how powerful spreadsheets (not just Excel) have been for decades, why would anyone open a spreadsheet from an untrusted source? Maybe I should RTFA, but this seems dumb.

      All of them I know of (am I out of date on this?) can open files, etc. Seems to ma a spreadsheet should do math and formatting -- and nothing else.

      Ironically, at work I get spreadsheets all the time; I have to convert between Lotus, Excel, and Quattro. I usually send a PDF as well, and more irony here; isn't there an Adobe vuln too?

      I use Star Office at home, but don't have the need for a spreadheet there. How does Star's spreadsheet fare?

      --
      Free Martian Whores!
  3. What's the big deal??? by Anonymous Coward · · Score: 2, Funny

    So you receive a virus riddled Excel spreadsheet, open it, the virus infects your system, and what...your system runs as shitty as it always did, the uptime and stability go from crapsville to shitycity, the OS is still as sluggish as it's always been. I mean, hell, there's even a shot that the virus will make things a little better. At least maybe you'll get occassional porn popups from the system tray, and your IE home page will be redirected to an asian teen movie site. I'd say it's a net win.

  4. Put it into perspective... by Anonymous Coward · · Score: 2, Funny

    I have an excel spreadsheet that shows the history of such an exploit. Please open the following...

  5. Re:quickly bash them... by larry+bagina · · Score: 2, Interesting

    Too late

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  6. Re:But let's not forget... by Gnavpot · · Score: 4, Informative

    According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

    I assume you were funny, but in case you were not:

    Microsoft counts from the day they publicly confirm the existence of a bug.

    Most others counts from the day the bug was publicly known.

    So if Microsoft delay the confirmation of a publicly known bug, the numbers will work in their favour.