Software // Information Management
03:24 PM
The Analytics Job and Salary Outlook for 2016
Jan 28, 2016
With data science and big data top-of-mind for all types of organizations, hiring analytics profes ...Read More>>

Microsoft Warns Of Excel Hack

The zero-day vulnerability's danger could extend beyond malicious Excel files.

Yet another unpatched bug in Microsoft's widely used Office application suite is being used by hackers to hijack computers, the company's security team has warned.

Late Friday, Microsoft's Security Response Center (MSRC) confirmed that malformed Excel spreadsheets are being used to trigger an unspecified vulnerability in Office 2000, Office XP, Office 2003, and Office 2004 for Mac.

"We are aware of very limited, targeted attacks attempting to use the vulnerability reported," said Alexandra Huft, a security program manager with MSRC, on the group's blog. The company "will provide updates through the MSRC weblog or the advisory as new information develops."

In an associated security advisory, Microsoft said the zero-day vulnerability's danger could extend beyond malicious Excel files, however. "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," the advisory read. A patch is under development, Microsoft added.

"It's still too new to know whether this might actually impact other applications in Office," says Ken Dunham, director of VeriSign iDefense's rapid response team. "Part of the confusion in attacks like this is that the payload has to be examined to see if the vulnerability is the same [as an earlier one] or different, then the vulnerable component must be found. It's a somewhat lengthy process."

The Excel flaw is the fifth unpatched bug in Microsoft Office that's been confirmed since early December 2006. The four others -- three in December, one in January 2007 -- lurked in various versions of Microsoft Word. The run is similar to a multi-month run of Office vulnerabilities in mid-2006.

"Once hackers have [hold of] a file format with vulnerabilities, they focus on it," says Dunham in explaining why it's often the case that one bug leads to a second, a second to a third, and so on. "The same thing happened last year when they found a bug in the WMF [Windows Metafile] format. They started wondering what other image file formats had vulnerabilities."

Hackers, in fact, will systematically test a file format with "fuzzers," software tools that stress test applications with random input to look for crash conditions. VeriSign's iDefense researchers have spotted online test results of the Chinese hacking crews which launched targeted attacks in 2006 using malicious Office documents, Dunham said.

"When they find one hacker Easter egg [vulnerability], they naturally try to find more," says Dunham.

Users can protect themselves by not opening Office documents attached to e-mail messages or offered as downloads by Web sites, said Microsoft. Office 2007, the newest version of the Windows productivity suite, also is immune to the exploit.

The next regularly scheduled security updates from Microsoft will be issued Tuesday, Feb. 13. Microsoft hasn't said whether some, or all, of the unfixed Office flaws will be patched then.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
How to Knock Down Barriers to Effective Risk Management
Risk management today is a hodgepodge of systems, siloed approaches, and poor data collection practices. That isn't how it should be.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.