Forgot your password?
Security Microsoft

No Patch For Excel Zero-Day Flaw 52

Posted by timothy
from the excel-lent dept.
CWmike writes "Microsoft said today that it will deliver three security updates on Tuesday, one of them marked 'critical,' but will not fix an Excel flaw that attackers are now exploiting. 'It doesn't look like we're going to see patches for any open Microsoft security advisories,' said Andrew Storms, director of security operations at nCircle Network Security, pointing to three that have not yet been closed. Those include two advisories issued last year — one from April 2008, another from December — and the Excel alert published last week. 'I'm not really surprised that the Excel vulnerability won't be patched, what with the timeline,' said Storms, 'but the others have been open for a long time.'"
This discussion has been archived. No new comments can be posted.

No Patch For Excel Zero-Day Flaw

Comments Filter:
  • by Anonymous Coward on Thursday March 05, 2009 @05:41PM (#27082915)
    Fair enough. On your way out don't let the door hit you where the lord split you.
  • Re:HAHAHAHHA (Score:3, Informative)

    by Vancorps (746090) on Thursday March 05, 2009 @06:00PM (#27083259)
    Honestly, do you really allow excel documents to come from the outside? This is why companies have secure transfer facilities for items which could be dangerous if accepted from any random party.
  • by Gnavpot (708731) on Thursday March 05, 2009 @06:40PM (#27083921)

    According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

    I assume you were funny, but in case you were not:

    Microsoft counts from the day they publicly confirm the existence of a bug.

    Most others counts from the day the bug was publicly known.

    So if Microsoft delay the confirmation of a publicly known bug, the numbers will work in their favour.

  • by Anonymous Coward on Thursday March 05, 2009 @08:14PM (#27085229)

    Won't work as-is, and I've never heard of an exploit being successfully 'ported' to OO or whatever. XLS is like the other "classic" office formats basically just a serialised object memory dump, which is why it's such a horrific mess and full of vulnerabilities. However the vulnerabilities always seem to be overwrites dependent on the exact memory structure that the office parser produces, rather than generalised "whoops we passed user input to an exec()" type ones.

"Turn on, tune up, rock out." -- Billy Gibbons