Average Rating: Rate this article:

Critical Security Flaw Found in Microsoft Excel By Walaika K. Haskins June 22, 2006 2:15PM     "It is bad for Microsoft to have two zero-day exploits in the wild right after their Patch Tuesday," said Rob Ayoub, an analyst at Frost & Sullivan. "They're scrambling to figure out what's going on and probably won't release a patch until their next Patch Tuesday. The timing is pretty bad."   Related Topics Microsoft Security Patch Tuesday Hackers Latest News Plasma-TV Ban Could Be Costly Barnes & Noble Nook Is Delayed Flat PC Shipments Hurt Dell's Stock Ballmer Says Windows 7 Sales Good New Pogoplug 'Cloud' Gets Social Microsoft is investigating reports of a serious security vulnerability in Excel that not only could cause the program to crash, if attacked remotely, but also could provide a way for hackers to take control of a system. The disclosure of the new flaw comes as Microsoft attempts to develop a patch to fix another security hole revealed in Excel late last week. The Microsoft Security Response (MSR) team reported on its blog this week that the vulnerability is the result of a faulty component in Windows that handles system operations involving hyperlinks. The blog posts downplayed the significance of the vulnerability. "This [is] proof-of-concept code and not an attack," wrote Christopher Budd, an MSR team member. "We are not aware of any attacks based on this code." However, despite the absence of ready-made hacker software that can take advantage of the flaw, Secunia, a security-monitoring company, has given the bug a rating of "highly critical." Security Issues According to Secunia, the flaw is caused from what is called a "boundary error" in an Excel-related Windows file named "hlink.dll." MSR researchers said that any attempt to exploit the flaw would necessitate convincing a user to open a specially crafted Excel document. Then the user would have to find and click on a specifically designed link in that document. "We have not found any way to attempt to exploit this vulnerability that involves simply opening a document: A user must locate [and] click [on] a hyperlink in the document," Budd wrote. Secunia claims to have confirmed the existence of the vulnerability on a fully patched Windows XP system running Excel 2003. Other affected operating systems, according to Secunia, include Windows Server 2003 and Windows 2000. Microsoft is recommending that people "only accept and open files from trusted sources." Bad Timing The flaw could not have been disclosed at a worse time for Microsoft because the company released its latest monthly set of patches just last week. Typically, the software maker does not issue fixes outside of "Patch Tuesday" releases, which means hackers will have one month to come up with malicious software specifically designed to take advantage of this flaw. "It is bad for Microsoft to have two zero-day exploits in the wild right after their Patch Tuesday," said Rob Ayoub, an analyst at Frost & Sullivan. "They're scrambling to figure out what's going on and probably won't release a patch until their next Patch Tuesday. The timing is pretty bad." Ayoub said that, other than causing some damage in terms of the public perception, the flaw will not pose too much of a threat. Because hackers have to get users to click on a specially designed link, it will be hard for miscreants to launch any sort of widespread attack, he explained. "It looks like this is more difficult to execute and won't propagate without user intervention," Ayoub said. "It is bad? Yes, but it's probably worse for Microsoft's publicity than it might actually be dangerous."   Advertisement  Computing 1.   Barnes & Noble Nook Is Delayed 2.   Flat PC Shipments Hurt Dell's Stock 3.   Ballmer Says Windows 7 Sales Good 4.   New Pogoplug 'Cloud' Gets Social 5.   Chrome OS Team Aims for Speed Just How Secure Is Windows 7? Sophos, Microsoft have different views. Average Rating: Vista More Secure Than Windows XP Windows 7 security could be expensive. Average Rating: Dell Will Debut Mini 3 in China, Brazil Android-powered phone is a big step. Average Rating:

Product Information and Resources for Technology You Can Use To Boost Your Business CRM Systems   Experience CRM—and Business—Success today with Salesforce.com. Contact Centers   Run Your Entire Contact Center in the Cloud with LiveOps Enterprise Hardware   Go Green with IBM Blade Center    Enterprise I.T.    Rackspace: It makes a difference when you focus on support.   Go Green with IBM Blade Center   APC introduces server room in a box solutions!   Tell us what you think. Take a survey.   Find out how much you can save with the SQL Server value tool.   See how AT&T can help protect your network. Enterprise Software   Read the Top 10 Reasons to Upgrade to Windows Server 2008 R2. Microsoft/Windows   Rackspace: It makes a difference when you focus on support   Read the Top 10 Reasons to Upgrade to Windows Server 2008 R2. Network Security   See how AT&T can help protect your network.

Network Security Spotlight

House Lawmakers Push Ban on Peer-to-Peer Software Stung by an embarrassing electronic leak revealing ethics investigations into dozens of lawmakers, Congress moved to prohibit federal employees from using the file-sharing software blamed for the disclosure.   GAO: Los Alamos Computer Security Has Weaknesses Security weaknesses uncovered in Los Alamos National Laboratory's computer network increase the risk of a classified-information breach, says the Government Accountability Office.   Computer Security Firm Fortinet Plans IPO This Week Fortinet plans to go public in an initial public offering, giving investors a chance to tap a network security provider with sales that are expected to grow. The IPO could be valued at $137.5 million or more.

Enterprise Hardware Spotlight

Flat Shipments Hurt Dell Despite Increased Earnings Dell's earnings are up and expectations are solid, but the company's stock still took a hit after analysts signaled the company isn't playing a key role in the PC market recovery.   New Pogoplug 'Personal Cloud' Does Social Networking Cloud Engines has released its newest version of the Pogoplug, a small "multimedia sharing device" that connects hard drives to the Internet and allows a user to access the files remotely.   Apple Tablet Rumored Delayed as Publisher Gears Up There have been so many rumors of an Apple tablet that it has taken on legendary status. But now the legend is being revised with reports of a delay and that a major publisher is getting ready.

Enterprise Technology Spotlight

Flat Shipments Hurt Dell Despite Increased Earnings Dell's earnings are up and expectations are solid, but the company's stock still took a hit after analysts signaled the company isn't playing a key role in the PC market recovery.   Smartphones: A Bigger Target for Security Threats Smartphones are increasingly prevalent and adept at handling more tasks, including trading stocks, paying bills, and buying stuff online. That makes them attractive to thieves and hackers.   FBI Says Hackers Targeting Law Firms, PR Companies Hackers are targeting law firms and public relations companies with a sophisticated e-mail scheme that breaks into their computer networks to steal sensitive data, often linked to large corporate clients.

Navigation NewsFactor Network Home/Top News | Enterprise I.T. | Hardware | Software | Communications | Network Security | Wireless Tech | Linux/Open Source Apple/Macintosh | Microsoft/Windows | World Wide Web | Data Storage | E-Commerce | Personal Tech | Tech Trends | Press Releases NewsFactor Network Enterprise I.T. Sites NewsFactor Technology News | Enterprise Security Today | CRM Daily NewsFactor Business and Innovation Sites Sci-Tech Today | NewsFactor Business Report NewsFactor Services FreeNewsFeed | Free Newsletters | Free Whitepapers | About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise Privacy Policy | Terms of Service © Copyright 2000-2009 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo.