Software // Information Management
03:24 PM

Microsoft Warns Of Excel Hack

The zero-day vulnerability's danger could extend beyond malicious Excel files.

Yet another unpatched bug in Microsoft's widely used Office application suite is being used by hackers to hijack computers, the company's security team has warned.

Late Friday, Microsoft's Security Response Center (MSRC) confirmed that malformed Excel spreadsheets are being used to trigger an unspecified vulnerability in Office 2000, Office XP, Office 2003, and Office 2004 for Mac.

"We are aware of very limited, targeted attacks attempting to use the vulnerability reported," said Alexandra Huft, a security program manager with MSRC, on the group's blog. The company "will provide updates through the MSRC weblog or the advisory as new information develops."

In an associated security advisory, Microsoft said the zero-day vulnerability's danger could extend beyond malicious Excel files, however. "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," the advisory read. A patch is under development, Microsoft added.

"It's still too new to know whether this might actually impact other applications in Office," says Ken Dunham, director of VeriSign iDefense's rapid response team. "Part of the confusion in attacks like this is that the payload has to be examined to see if the vulnerability is the same [as an earlier one] or different, then the vulnerable component must be found. It's a somewhat lengthy process."

The Excel flaw is the fifth unpatched bug in Microsoft Office that's been confirmed since early December 2006. The four others -- three in December, one in January 2007 -- lurked in various versions of Microsoft Word. The run is similar to a multi-month run of Office vulnerabilities in mid-2006.

"Once hackers have [hold of] a file format with vulnerabilities, they focus on it," says Dunham in explaining why it's often the case that one bug leads to a second, a second to a third, and so on. "The same thing happened last year when they found a bug in the WMF [Windows Metafile] format. They started wondering what other image file formats had vulnerabilities."

Hackers, in fact, will systematically test a file format with "fuzzers," software tools that stress test applications with random input to look for crash conditions. VeriSign's iDefense researchers have spotted online test results of the Chinese hacking crews which launched targeted attacks in 2006 using malicious Office documents, Dunham said.

"When they find one hacker Easter egg [vulnerability], they naturally try to find more," says Dunham.

Users can protect themselves by not opening Office documents attached to e-mail messages or offered as downloads by Web sites, said Microsoft. Office 2007, the newest version of the Windows productivity suite, also is immune to the exploit.

The next regularly scheduled security updates from Microsoft will be issued Tuesday, Feb. 13. Microsoft hasn't said whether some, or all, of the unfixed Office flaws will be patched then.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll