Excel Flaws Being Exploited by Hackers - 22 Jun 2006

Recently revealed critical security flaws in Microsoft Excel have been exploited at least three times by attackers, raising users' fears that Excel will soon be compromised by Internet-based attacks. The exploiters differ somewhat in their attack methods, although all of the attack methods require a user to open a maliciously crafted Excel spreadsheet. Successful attacks result in the attacker remotely controlling the targeted PC.

In one exploit, an Adobe Macromedia Flash-based component launches without any user interaction other than opening the spreadsheet, running code on the unsuspecting user's PC. Another attack embeds code for a Trojan horse onto the PC, and a third requires a user to click a hyperlink within the spreadsheet. However, Microsoft claims that the exploits are simply proof of concepts and that one of the attack methods actually exploits a component of Windows, not Excel.

Regardless of the technical details, Excel users should avoid opening Excel spreadsheets from sources they don't trust. Exploited Excel spreadsheets can take advantage of flaws--whether in Windows or Excel--that let attackers remotely control the compromised PC. And although one attack method requires users to make two mistakes--(i.e., opening the document and clicking a hyperlink within the document)--two of the exploits work when users do nothing more then open the document.

All of the exploits affect Excel 2003, which is the latest version of the Windows edition of the product. However, some of the exploits also affect other Excel versions, including one that works on various Mac OS X-based versions of Excel.

I presume that Microsoft will fix the flaws on or before its next monthly security patch day, which is set for July. In the meantime, the company has released some workarounds for one of the flaws (see the URL below).


TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.