Critical Excel Flaws Remain Unpatched

By Ryan Naraine  |  Posted 07-12-2006
A day after Microsoft shipped a mega-patch to cover eight Excel vulnerabilities, security researchers warn that at least two critical—and publicly discussed—flaws affecting users of the spreadsheet program remain unpatched.

Proof-of-concept exploit code for both vulnerabilities has been published on the Internet and, in the absence of patches, Microsoft is strongly urging customers to avoid accepting and opening files from untrusted sources.

One of the bugs, rated "highly critical" by Secunia, a security information aggregator based in Copenhagen, Denmark, is actually a code execution hole in Windows that is exploitable via Excel.

Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center), confirmed that the vulnerability is caused by a boundary error in a Windows component called "hlink.dll," which can be used to cause a stack-based buffer overflow if an Excel user is tricked into clicking a specially rigged URL in a malicious Excel document.

"We're still in the process of investigating that issue," Budd said in an interview with eWEEK. "We're working hard on it. At the conclusion of the investigation, we'll take the necessary steps to protect our customers," he added.

The flaw has been confirmed on a fully patched Windows XP SP2 system running Microsoft Excel 2003 SP2. Other versions affected include Microsoft Office 2000, Excel Viewer 2003, Excel 2003, Excel 2002, Excel 2000, Microsoft Office 2003 Professional Edition, Microsoft Office 2003 and Microsoft Office XP, Secunia warned.

The issue was first reported by a hacker called "kcope" on June 20. Immediately after, the MSRC posted an acknowledgment on its blog to make it clear that the proof-of-concept code was not being used in an attack.

"Any attempt to exploit this vulnerability would require convincing a user to open a specially crafted Excel document. The user would then also have to locate and click on a specially crafted long link in that document. We have not found any way to attempt to exploit this vulnerability that involves simply opening a document: A user must locate a click a hyperlink in the document," the MSRC said.

Read the full story on eWEEK.com: Critical Excel Flaws Remain Unpatched