Software

Excel bug has workarounds but no fix

A bug in Excel will allow an attacker to “jimmy a PC sufficiently to snatch control from the rightful owner,” according to Computerworld. This affects Office Excel 2000, 2002, 2003 SP2, Excel Viewer 2003, and Excel 2004 for Mac. It is not believed to affect Office Excel 2003 SP3 or 2007.

A bug in Excel will allow an attacker to “jimmy a PC sufficiently to snatch control from the rightful owner,” according to Computerworld. Microsoft has published a security advisory as of Tuesday evening. This affects Office Excel 2000, 2002, 2003 SP2, Excel Viewer 2003, and Excel 2004 for Mac. It is not believed to affect Office Excel 2003 SP3 or 2007.

From Computerworld:

In lieu of a patch -- which Microsoft did not promise it would produce -- the company recommended that Office 2003 users run suspect Excel files through MOICE (Microsoft Office Isolated Conversion Environment), a free conversion tool released last year that converts Office 2003 format documents into the more secure Office 2007 formats to strip out possible exploit code. Alternately, it told administrators they could block all Office 2003 and earlier formats except those in "trusted locations" by using File Block, a last-ditch defense that requires editing the Windows registry or modifying Group Policy settings.

The last time that Microsoft patched any edition of Excel was in August 2007, when it issued MS07-044, an update that fixed a similar document format flaw in Excel 2000, Excel 2002, Excel 2003 and Excel 2004 for Mac.

Like many end users, I am directly affected by this. While I have tools in place that are supposed to protect me, I get concerned. I had planned to wait to upgrade my existing Office 2004 for Mac, but now I’m not sure that waiting is a good idea.

How do you protect your computer from being attacked by malicious code? Would you consider using File Block?

Additional information:

Microsoft warns of new Excel vulnerability (NetworkWorld)

Microsoft confirms flaw; outlines defense (ZDNet)

10 comments
CarlK2
CarlK2

Lotus 123 still opens & Saves Exsell. Except for some feechurs (internet links) which aren't needed. Open Office has gotten better. Don't be Sheepeople.

bfpower
bfpower

Well, I guess that opening only trusted documents is the first key. End user common sense is probably the best security. But I do hope they come up with a patch. I have migrated to 2007 both on my primary work box and my home rig. Maybe I should migrate my secondary work box too... =)

markinct
markinct

"End user common sense is probably the best security." Sadly, I have found common sense to be in very short supply...

Tig2
Tig2

How do you protect your computer from being attacked by malicious code? Would you consider using File Block?

wesley.chin
wesley.chin

I have not used FileBlock, but right now there is a nasty bug in Excel versions from 2007 on down. SP3 is needed to fix protect machines. Office 2007 is not affected.

Tig2
Tig2

I know that the recommendation from Microsoft is to use MOICE to upgrade an Excel file that is vulnerable (all pre 2003 SP3 versions) to 2007 format. Or perhaps we are talking about the same thing? I know that I really wanted to wait and see what the reception was for Office 2008 for Mac, but I may not have that luxury. I will likely have to upgrade sooner than later.

Tig2
Tig2

The problem isn't shared by Open Office. So that might be a workaround too. All I know is that I will be extremely leery of any Excel attachments or content that I come across. Being a Mac in this situation gives me a bit more protection, but not much. I'm still just as vulnerable on the web.

wesley.chin
wesley.chin

Either that or getting SP3, a 117.5 MB download. Or getting Linux I wonder if there is a patch or something for OpenOffice or any of the other open source apps out there...

Tig2
Tig2

Excel 2003 SP3 and Excel 2007 are both considered to be safe from this. Anything earlier is not. Be nice if they would put out a patch. Upgrading is probably going to be my only option.

Editor's Picks