Bug hunter reports flaw in Excel

Security expert Georgi Guninski goes public with an alert on the use of XML style sheets with Microsoft's Excel XP software. The software giant is none too pleased with the word.

May 28, 2002 5:51 p.m. PT

2 min read

A security hole in Microsoft's Excel XP spreadsheet application could allow hackers to take over a computer by using specially formed XML style sheets, according to a security expert.

Georgi Guninski, a well-known security adviser, posted an advisory to his Web site on May 24 alerting people to the security hole. He said that the problem arises when a person opens an Excel spreadsheet file, choosing to view it with an XML style sheet. If the style sheet contains specially formed code, the PC will try to run that code, Guninski said.

"As script kiddies know, this may lead to taking full control over a user's computer," Guninski said. "Excel does not give any warning to the user--just asks whether to use the style sheet or not." By default, however, Excel does not display spreadsheet files with the style sheet, he added.

XML, or Extensible Markup Language, is a method that allows programmers to set up a standard way of describing digital documents, such as word processing files--or, as in this case, Excel spreadsheets.

On his site, Guninski has posted a sample piece of code that would fool Excel XP into thinking it contains a link to a style sheet but in fact runs a command that lists directory contents on a person's PC.

To be safe, Guninski wrote on his site that users should not use XML style sheets. Guninski said that Microsoft was notified of the flaw on May 23.

A Microsoft representative said the software giant was researching the report and criticized Guninski for going public with the alleged flaw.

"Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk," the representative said.

The flaw is just the latest in a number of security alerts related to Microsoft products. Last week, the company warned people using Windows NT and 2000 of a new flaw in its debugger tools that could give attackers complete control of a system once the attackers gained basic network access.

A week before, Microsoft urged people using Windows to download a fix for Internet Explorer after six new flaws had been found in the Web browser. The software company called three of the flaws critical, but only one of them--a cross-site scripting error that affects only Internet Explorer 6.0--would allow an attacker or a worm to run a program on the victim's computer.

ZDNet U.K.'s Matt Loney reported from London.

News.com's David Becker contributed to this report.