Forgot your password?
typodupeerror
Security Microsoft

No Patch For Excel Zero-Day Flaw 52

Posted by timothy
from the excel-lent dept.
CWmike writes "Microsoft said today that it will deliver three security updates on Tuesday, one of them marked 'critical,' but will not fix an Excel flaw that attackers are now exploiting. 'It doesn't look like we're going to see patches for any open Microsoft security advisories,' said Andrew Storms, director of security operations at nCircle Network Security, pointing to three that have not yet been closed. Those include two advisories issued last year — one from April 2008, another from December — and the Excel alert published last week. 'I'm not really surprised that the Excel vulnerability won't be patched, what with the timeline,' said Storms, 'but the others have been open for a long time.'"
This discussion has been archived. No new comments can be posted.

No Patch For Excel Zero-Day Flaw

Comments Filter:
  • HAHAHAHHA (Score:4, Interesting)

    by Culture20 (968837) on Thursday March 05, 2009 @05:20PM (#27082629)
    I would be laughing if I didn't have to support MS Office users occasionally. Did they really have to announce that they weren't going to patch excel?
    • Re: (Score:3, Informative)

      by Vancorps (746090)
      Honestly, do you really allow excel documents to come from the outside? This is why companies have secure transfer facilities for items which could be dangerous if accepted from any random party.
      • by Culture20 (968837)
        Some businesses require high degrees of personal computing freedom. Thankfully, this often translates into "you break it, you bought it", but I kind of feel like a doctor watching his patients go against sound medical advice.
        • by Vancorps (746090)
          Fair enough, some businesses don't have the technical staffing to deploy it either. It does effectively fight the problem though which is a shame since more companies don't do it.
      • by Bert64 (520050)

        Most companies do, it is common for companies to send ms binary formats over the internet, eg via email, and blocking them would disrupt things...

        But i agree, it is stupid to receive such files from the outside.. Filtering should be set up to only allow known documented formats, and then parse these formats to validate them against the spec, possibly opening and resaving them in the process to strip out anything malicious (doing this breaks the jpeg exploits that floated around a couple of years ago for ins

      • Problem is that an email infected with a virus coming from within your own companies firewall,
        means someone's system was infected (using those stupid screensavers again?)
        and now has propagated to excel files within the network , on the servers, or on local pcs.

        You have no idea how many excel files get transfered within a company during the day that does not come from the outside, but could be infected.

  • by Slumdog (1460213) on Thursday March 05, 2009 @05:22PM (#27082669)
    OK, you may disagree, but I've worked at banks and found that Excel use is widespread in mission critical applications, research, trading, and what not. Its like the swiss army knife for non-programmers engaged in decision making. They don't care about security issues (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

    The philosophy for these situations is, 'if its not broken, don't fix it'. As long as Excel remains usable for corporate clients, upgrades and bug fixes will trickle is a slow rate.
    • by morgan_greywolf (835522) on Thursday March 05, 2009 @05:48PM (#27083011) Homepage Journal

      Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

      • Re: (Score:2, Interesting)

        by Slumdog (1460213)

        Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

        did I say they were intelligent?

      • Why do you think that people are unintelligent if they can't program?

        And incidently, I think the decision makers at the banks have made some smart decisions from their perspectives haven't they? after all they are still coming away with millions [telegraph.co.uk].

        • Why do you think that people are unintelligent if they can't program?

          I don't. I think they're unintelligent if they lend money to people who can't pay it back and then package those loans up as commodities and sell them. I think that's pretty stupid, don't you?

          • by VENONA (902751)

            Ummm, no. They were smart enough that they could basically package *dirt* and sell it.

            The people that *bought* them were stupid. There were even Signs in the Heavens, in the form of the ratings services assigning the same ratings to some of these that they were giving to Treasury instruments. And there were *still* buyers, to the tune of untold trillions of dollars. Never underestimate the power of human greed.

            What astounds me is that the people at Moodies and the other ratings orgs aren't facing charges ye

            • Where there were stupid is their failure to realize that the economy is a bunch of interconnected parts. Screw others and you screw yourself.
      • Re: (Score:3, Insightful)

        by mcgrew (92797) *

        Considering how powerful spreadsheets (not just Excel) have been for decades, why would anyone open a spreadsheet from an untrusted source? Maybe I should RTFA, but this seems dumb.

        All of them I know of (am I out of date on this?) can open files, etc. Seems to ma a spreadsheet should do math and formatting -- and nothing else.

        Ironically, at work I get spreadsheets all the time; I have to convert between Lotus, Excel, and Quattro. I usually send a PDF as well, and more irony here; isn't there an Adobe vuln t

    • by Em Emalb (452530)

      (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

      Maybe that's the problem.

      • by Slumdog (1460213)

        (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

        Maybe that's the problem.

        Now! thats what I call attention to detail! Have you thought, it could be the problem that caused other problems? Remember SocGen?

    • by Bert64 (520050)

      Excel is known to get some complex calculations wrong (plenty of documentation on google for this)... If you are using it for financial accounting you are likely to be in violation of sarbanes-oxley requirements.

  • by Anonymous Coward

    So you receive a virus riddled Excel spreadsheet, open it, the virus infects your system, and what...your system runs as shitty as it always did, the uptime and stability go from crapsville to shitycity, the OS is still as sluggish as it's always been. I mean, hell, there's even a shot that the virus will make things a little better. At least maybe you'll get occassional porn popups from the system tray, and your IE home page will be redirected to an asian teen movie site. I'd say it's a net win.

  • My russian friends can make zero day exploits all day long. It's good for the economy. Keeps you silly american busy. I love amerika robert halcombe rhalcom@sovgrp.com
  • by Anonymous Coward

    I have an excel spreadsheet that shows the history of such an exploit. Please open the following...

  • I wonder if any one has tested this exploit on Open Office Calc, Apple Numbers and other MS Office compatible applications?

    • Re: (Score:1, Informative)

      by Anonymous Coward

      Won't work as-is, and I've never heard of an exploit being successfully 'ported' to OO or whatever. XLS is like the other "classic" office formats basically just a serialised object memory dump, which is why it's such a horrific mess and full of vulnerabilities. However the vulnerabilities always seem to be overwrites dependent on the exact memory structure that the office parser produces, rather than generalised "whoops we passed user input to an exec()" type ones.

      • by Bert64 (520050)

        Since OO is based on reverse engineering, it has a far more robust parser for the MS formats... Because they don't know what to expect, their parser is much better at handling unexpected data.. This is also why OO is often much better at opening damaged files.

  • Ha! Skimming through the subject lines, I thought this post read "No Patch For Adobe Zero-Day Flaw".
  • Can we stop using the term "zero-day"? It is supposed to refer to malware that is released the same day the exploit becomes public knowledge. At this point, the excel bug still may not be fixed, but its been a heck of a lot more than zero days since it was publicized...

  • This just proves that being a monopoly allows you to ignore your users.

    Excel is a major tool in many corporates, and having such an exploit can make havoc.

    no the least, this shows that making your own rules can help you claim whatever you want - time to fix / number of vulnerabilities, etc.

    Design to last - blog on system engineering [design-to-last.com]

Anyone can do any amount of work provided it isn't the work he is supposed to be doing at the moment. -- Robert Benchley

Working...