Critical Excel Flaws Remain Unpatched

A day after Microsoft shipped a major update to cover eight Excel vulnerabilities, security researchers warn that at least two code execution holes in the spreadsheet program remain unpatched.

A day after Microsoft shipped a mega-patch to cover eight Excel vulnerabilities, security researchers warn that at least two critical—and publicly discussed—flaws affecting users of the spreadsheet program remain unpatched.

Proof-of-concept exploit code for both vulnerabilities has been published on the Internet and, in the absence of patches, Microsoft is strongly urging customers to avoid accepting and opening files from untrusted sources.

One of the bugs, rated "highly critical" by Secunia, a security information aggregator based in Copenhagen, Denmark, is actually a code execution hole in Windows that is exploitable via Excel.

Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center), confirmed that the vulnerability is caused by a boundary error in a Windows component called "hlink.dll," which can be used to cause a stack-based buffer overflow if an Excel user is tricked into clicking a specially rigged URL in a malicious Excel document.

"Were still in the process of investigating that issue," Budd said in an interview with eWEEK. "Were working hard on it. At the conclusion of the investigation, well take the necessary steps to protect our customers," he added.

The flaw has been confirmed on a fully patched Windows XP SP2 system running Microsoft Excel 2003 SP2. Other versions affected include Microsoft Office 2000, Excel Viewer 2003, Excel 2003, Excel 2002, Excel 2000, Microsoft Office 2003 Professional Edition, Microsoft Office 2003 and Microsoft Office XP, Secunia warned.

The issue was first reported by a hacker called "kcope" on June 20. Immediately after, the MSRC posted an acknowledgment on its blog to make it clear that the proof-of-concept code was not being used in an attack.

"Any attempt to exploit this vulnerability would require convincing a user to open a specially crafted Excel document. The user would then also have to locate and click on a specially crafted long link in that document. We have not found any way to attempt to exploit this vulnerability that involves simply opening a document: A user must locate a click a hyperlink in the document," the MSRC said.

/zimages/7/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Microsofts Budd also confirmed a second unpatched Excel issue that affects certain Asian-language versions of Microsoft Excel. This is described as a buffer overflow that could allow attackers to execute arbitrary code via a crafted spreadsheet.

A security researcher named "Nanika" has published a proof-of-concept Excel file that triggers the overflow when the user attempts to repair the document or selects the "Style" option.

Secunia rates the Nanika bug as "highly critical" and warned that the exploit can be modified to launch malicious computer takeover attacks.

"Successful exploitation may allow execution of arbitrary code, but requires that the user chooses to repair the document (Excel 2002/2003) or clicks the Style option (Excel 2000)," the company said.

This issue was published on July 6, 2006, and Budd said the MSRC is still investigating the cause of the vulnerability before creating a patch.

Security flaws in the Microsoft Office software suite have been used in a spate of zero-day attacks against business targets recently. Over the last four months, Microsoft has patched a whopping 19 Office flaws.

In the July batch of patches, the company released the MS06-037 bulletin to provide fixes for a wide range of "remote code execution" flaws that could let hackers take "complete control of the vulnerable client workstation."

"We recommend that customers apply the update immediately," Microsoft said.

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.