Second zero-day Excel flaw emerges

Another yet-to-be-patched Excel security hole is reported--and there's sample attack code on the Net, experts say.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Attack code for a new security hole in Excel has surfaced on the Internet, just as Microsoft is scrambling to respond to a separate bug in the spreadsheet program.

The latest vulnerability could cause Excel to crash after a malicious file is opened, according to an alert Symantec sent to customers on Monday. The security company also said there was a risk that an intruder could commandeer a PC. "Attackers may also be able to execute arbitrary code?but this has not been confirmed," it said.

The security hole exists because Excel fails to properly check user-supplied input before copying it to an insufficiently sized memory buffer, Symantec said. Excel 2003 and Excel XP are vulnerable, and other versions may also be affected, Symantec said.

Security monitoring company Secunia deems the issue "highly critical," one notch below its most severe ranking, according to an alert it published on Tuesday.

Sample computer code that exploits the flaw is publicly available on the Net. However, Secunia said it is not aware of any current attacks using the security hole.

Microsoft is looking into the issue, a company representative said in a statement Tuesday. "Based on our investigation, the issue is a new vulnerability in Microsoft Windows that may be exploited when clicking on a hyperlink with Office documents," the representative said. Microsoft is not aware of any attacks that exploit this flaw, he added.

The latest Excel vulnerability comes just as Microsoft is grappling with another yet-to-be-patched bug in the spreadsheet application. That flaw, disclosed late last week, could give an attacker full control over a vulnerable PC and has been exploited in at least one targeted cyberattack, Microsoft has said.

To exploit either one of the new flaws, an attacker would craft a malicious Excel file and host that file on a Web site, send it via e-mail, or otherwise provide it to the intended victim. The attempt can be successful only if the file is opened on a vulnerable PC.

Both vulnerabilities come on the heels of Microsoft's "Patch Tuesday" batch of security updates. Last week, Microsoft released 12 patches that addressed 21 vulnerabilities in various products, including Office applications. The company has said it is working on a patch for the first new Excel flaw.

Some experts believe the timing of the new exploits is no coincidence, as miscreants will have a month until patches are available. Microsoft typically does not release fixes outside of its monthly patching cycle for such flaws, these experts said.

On Monday, Microsoft posted tips for users to respond to the first Excel flaw, which affects all versions of the software, including those for Apple Computer's Mac OS. Microsoft suggests caution when opening Excel files. It also recommends blocking such files when they arrive as e-mail attachments or changing PC settings so spreadsheets can't be opened from the Outlook e-mail client or the Web.

For Excel 2003, Microsoft recommends that people prevent the application from running in "repair mode" by modifying some settings in the Windows Registry. The flaw is exploited in that special mode, Microsoft said in a security advisory on the issue.