Microsoft admits to new Excel vulnerability

Angus Kidman
Tuesday, 06 February 2007 00:59

Your IT - Home IT

A new vulnerability in Excel that could allow hackers to take control of a user's machine has been identified by Microsoft. The software giant says it is working on a solution but has, as ever, declined to specify a timetable for releasing a patch to fix the problem.

The potential vulnerability, which affects the versions of Excel found in Office XP, Office 2003, Office 2000 and Office 2004 for Mac, could allow hackers to run any code they choose by placing a series of special characters inside an Excel file. Users would have to deliberately open a specially-crafted file to be impacted by the vulnerability.

However, this is not a particularly difficult scenario to create, with a large number of high-profile malware attacks such as the recent 'Storm' virus using a combination of code concealed in a file and social engineering techniques designed to persuade users to open that file.

In the security advisory outlining the problem, Microsoft said that while it believed the problem was limited to Excel, it was possible it could also impact other Office applications of the same vintage. Commonly used applications in Office include Word, Outlook and PowerPoint. The vulnerability does not affect the newly-released Office 2007.

Microsoft has come under increasing pressure in recent months over its security approach, which has emphasised a monthly 'Patch Tuesday' group of vulnerability fixes rather than releasing patches as quickly as possible.