On July 12, a day after Microsoft shipped a mega-patch to cover eight Excel vulnerabilities, security researchers warned that at least two critical—and publicly discussed—flaws affecting users of the spreadsheet program remained unpatched.
Proof-of-concept exploit code for both vulnerabilities has been published on the Internet. In the absence of patches, Microsoft, of Redmond, Wash., strongly urged customers to avoid accepting and opening files from untrusted sources.
One of the bugs, rated “highly critical” by Secunia, a security information aggregator based in Copenhagen, Denmark, is actually a code execution hole in Windows thats exploitable via Excel.
Christopher Budd, a program manager in the Microsoft Security Response Center, said the vulnerability is caused by a boundary error in a Windows component called “hlink.dll,” which can be used to cause a stack-based buffer overflow if an Excel user clicks on a specially rigged URL in a malicious Excel document.
The flaw has been confirmed on a fully patched Windows XP Service Pack 2 system running Microsoft Excel 2003 SP2. Other versions affected include Microsoft Office 2000, Excel Viewer 2003, Excel 2003, Excel 2002, Excel 2000, Microsoft Office 2003 Professional Edition, Microsoft Office 2003 and Microsoft Office XP, Secunia warned.
The issue was first reported by a hacker called “kcope” on June 20. Immediately afterward, the MSRC posted an acknowledgment on its blog to make it clear that the proof-of-concept code was not being used in an attack.
Microsofts Budd also confirmed a second unpatched Excel issue that affects certain Asian-language versions of Excel. This is described as a buffer overflow that could allow attackers to execute arbitrary code via a crafted spreadsheet.
A security researcher named “Nanika” has published a proof-of-concept Excel file that triggers the overflow when the user attempts to repair the document or selects the “Style” option. Secunia rates the Nanika bug as “highly critical” and warned that the exploit can be modified to launch malicious computer takeover attacks.