Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Find a Review
Dads & Grads Gift Guide Audio & Video Business Center Cameras Cell Phones & PDAs Communications Components & Upgrading Desktop PCs DVD & Hard Drives Gaming Hardware & Software HDTV Laptops Macs & iPods Monitors Printers Spyware & Security The PCW Test Center Windows Vista & XP
Resource Centers
Asus Notebook Center
CDW Solution Center
HP Ink Center
Intel Technology Center
Lenovo Laptop Showcase
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Free Newsletters
Receive the latest reviews, how-to's, news, and more.
Product Tips & Reviews
Daily Downloads
Windows Vista
Go
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
RSS Feeds
Get our latest content via convenient RSS feeds.
Latest News
Today @ PC World
Become a PCW Member
Join the community and start enjoying the benefits:
  • Get tech advice from thousands of PC World Members
  • Rate and recommend the latest tech products
  • Share your thoughts in blog and article comments
  • Get free excerpts and exclusive discounts on Super Guides
Signing up is free and easy.
Read More About: Microsoft OfficeSoftware BugsProductivity

Months-Old Excel Exploit Goes Public

Gregg Keizer, Computerworld

Sunday, March 23, 2008 1:00 PM PDT
Recommend this story?
Yes
No

Attack code that exploits a bug in Microsoft Excel went public last week, a security researcher said, prompting him to urge users to immediately apply a March 11 patch.

The exploit, which was posted to the milw0rm.com site last Friday, is the first made public for any of the seven vulnerabilities that were patched by Microsoft several days earlier in the security update tagged as MS08-014. That bulletin fixed multiple flaws in Excel 2000, 2002, 2003 and 2007 on Windows, and Excel 2004 and Excel 2008 on the Mac.

"The vulnerability that this exploit is designed to leverage was originally exploited in the wild on January 15, 2008," said Symantec Corp. security analyst Aaron Adams in an alert to customers of the company's DeepSight threat notification service. "We believe it leverages CVE-2008-0081 ... [and] involves the manipulation of an uninitialized stack variable by specially crafting an Excel file such that stack data will be pre-populated with user-supplied data and therefore able to influence the value of the uninitialized variable."

Microsoft labeled CVE-2008-0081 "critical" on Excel 2000, and "important" on Excel 2002 and 2003.

Microsoft first acknowledged the Excel bug more than two months ago, when it confirmed that hackers were attacking Windows machines via Excel. At the time, the company's security team characterized the attacks as "targeted and not widespread."

Once the attack code was publicly posted on Friday, Adams advised users to apply MS08-014 immediately. "This should be considered a high priority in light of the availability of exploit code," he said. "Additionally, users should be advised to carry out extreme caution when handling Excel files received online. If possible, Excel files should be filtered at the e-mail gateway until the updates can be applied."

The MS08-014 update was the same one that Microsoft had to re-release last week after it discovered one of the Excel fixes had produced a regression error that generated wrong results in some calculations.


Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.


Recommend this story?
Yes
No
Related Searches: microsoft excel exploit patch

Comments
Related Content
Tags at a Glance
Latest News
Qualcomm Will Trial Future Wireless Broadband in UK
Qualcomm on Friday announced it has acquired 40 MHz of U.K. spectrum in the 1.4 GHz band. It will initially be used for the... 16-May-2008
Verizon Wins $678.5 Million Homeland Security Contract
Verizon will provide Internet protocol and security services, as well as emergency communications services to help the department respond quickly to disasters. 16-May-2008
RIM Will Launch Touch-Screen BlackBerry in Q3: Report
The device, known as the Thunder, is to be sold exclusively through Verizon Wireless in the U.S. and Vodafone abroad. 16-May-2008
Florida Seeks to Fine Verizon for Bad Service
Florida's attorney general said on Thursday the state was seeking to fine Verizon for violating service standards. 16-May-2008
Bogus Grand Theft Auto IV Contains Trojan
Hundreds of Grand Theft Auto IV fans eager to get their hands on a free copy of the game have been targeted by a Trojan virus. 16-May-2008
Apple Dismisses Safari Download Issue
A security researcher has published a demonstration exploit that takes advantage of the download mechanism in Apple's Safari. 16-May-2008
Sega Announces Trio of Games for Wii, DS, 360 and PS3
A fourth unannounced game, being developed by Resident Evil creator Shinji Mikami, is also in the works. 16-May-2008
Online Maps Reveal Noise Levels Across England
Maps showing noise levels in towns across England were published on Friday in an attempt to reduce the disruption caused by factories, planes, trains and cars. 16-May-2008
Konami to Release Rock Revolution This October
Unveiled at the Konami Gamer's Night on Wednesday, Rock Revolution was confirmed for release on Xbox 360, PS3, Wii, and DS. 16-May-2008
NASA Moves to Save Computers From Swarming Ants
A flood of voracious ants is heading straight for Houston, taking out computers, radios and even vehicles in their path. 16-May-2008

PC World's Marketplace

PC World's Free Whitepapers

Name City
Address 1 State Zip
Address 2 E-mail (optional)