No Patch For Excel Zero-Day Flaw

CWmike writes "Microsoft said today that it will deliver three security updates on Tuesday, one of them marked 'critical,' but will not fix an Excel flaw that attackers are now exploiting. 'It doesn't look like we're going to see patches for any open Microsoft security advisories,' said Andrew Storms, director of security operations at nCircle Network Security, pointing to three that have not yet been closed. Those include two advisories issued last year — one from April 2008, another from December — and the Excel alert published last week. 'I'm not really surprised that the Excel vulnerability won't be patched, what with the timeline,' said Storms, 'but the others have been open for a long time.'"

HAHAHAHHA

[Culture20]

I would be laughing if I didn't have to support MS Office users occasionally. Did they really have to announce that they weren't going to patch excel?

Re:

[Vancorps]

Honestly, do you really allow excel documents to come from the outside? This is why companies have secure transfer facilities for items which could be dangerous if accepted from any random party.

Re:

[Culture20]

Some businesses require high degrees of personal computing freedom. Thankfully, this often translates into "you break it, you bought it", but I kind of feel like a doctor watching his patients go against sound medical advice.

Re:

[Vancorps]

Fair enough, some businesses don't have the technical staffing to deploy it either. It does effectively fight the problem though which is a shame since more companies don't do it.

Re:

[Bert64]

Most companies do, it is common for companies to send ms binary formats over the internet, eg via email, and blocking them would disrupt things...

But i agree, it is stupid to receive such files from the outside.. Filtering should be set up to only allow known documented formats, and then parse these formats to validate them against the spec, possibly opening and resaving them in the process to strip out anything malicious (doing this breaks the jpeg exploits that floated around a couple of years ago for ins

Re:

[hesaigo999ca]

Problem is that an email infected with a virus coming from within your own companies firewall,
means someone's system was infected (using those stupid screensavers again?)
and now has propagated to excel files within the network , on the servers, or on local pcs.

You have no idea how many excel files get transfered within a company during the day that does not come from the outside, but could be infected.

The problem with excel: being mission critical

[Slumdog]

OK, you may disagree, but I've worked at banks and found that Excel use is widespread in mission critical applications, research, trading, and what not. Its like the swiss army knife for non-programmers engaged in decision making. They don't care about security issues (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

The philosophy for these situations is, 'if its not broken, don't fix it'. As long as Excel remains usable for corporate clients, upgrades and bug fixes will trickle is a slow rate.

Re:The problem with excel: being mission critical

[morgan_greywolf]

Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

Re:

[Slumdog]

Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

did I say they were intelligent?

Re:

[mbooth9517]

Why do you think that people are unintelligent if they can't program?

And incidently, I think the decision makers at the banks have made some smart decisions from their perspectives haven't they? after all they are still coming away with millions [telegraph.co.uk].

Re:

[morgan_greywolf]

Why do you think that people are unintelligent if they can't program?

I don't. I think they're unintelligent if they lend money to people who can't pay it back and then package those loans up as commodities and sell them. I think that's pretty stupid, don't you?

Re:

[VENONA]

Ummm, no. They were smart enough that they could basically package *dirt* and sell it.

The people that *bought* them were stupid. There were even Signs in the Heavens, in the form of the ratings services assigning the same ratings to some of these that they were giving to Treasury instruments. And there were *still* buyers, to the tune of untold trillions of dollars. Never underestimate the power of human greed.

What astounds me is that the people at Moodies and the other ratings orgs aren't facing charges ye

Re:

[morgan_greywolf]

Where there were stupid is their failure to realize that the economy is a bunch of interconnected parts. Screw others and you screw yourself.

Re:

[mcgrew]

Considering how powerful spreadsheets (not just Excel) have been for decades, why would anyone open a spreadsheet from an untrusted source? Maybe I should RTFA, but this seems dumb.

All of them I know of (am I out of date on this?) can open files, etc. Seems to ma a spreadsheet should do math and formatting -- and nothing else.

Ironically, at work I get spreadsheets all the time; I have to convert between Lotus, Excel, and Quattro. I usually send a PDF as well, and more irony here; isn't there an Adobe vuln t

Re:

[Em Emalb]

(really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

Maybe that's the problem.

Re:

[Slumdog]

(really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

Maybe that's the problem.

Now! thats what I call attention to detail! Have you thought, it could be the problem that caused other problems? Remember SocGen?

Re:

[Bert64]

Excel is known to get some complex calculations wrong (plenty of documentation on google for this)... If you are using it for financial accounting you are likely to be in violation of sarbanes-oxley requirements.

What's the big deal???

[Anonymous Coward]

So you receive a virus riddled Excel spreadsheet, open it, the virus infects your system, and what...your system runs as shitty as it always did, the uptime and stability go from crapsville to shitycity, the OS is still as sluggish as it's always been. I mean, hell, there's even a shot that the virus will make things a little better. At least maybe you'll get occassional porn popups from the system tray, and your IE home page will be redirected to an asian teen movie site. I'd say it's a net win.

Re:

[Anonymous Coward]

Fair enough. On your way out don't let the door hit you where the lord split you.

Re:

[larry bagina]

Too late [bbspot.com]

Re:

[mcgrew]

suck.com did one a few years ago called "suckdot", it was hilarious. Tux wearing a turban and wielding a scimitar was priceless! I wish I could find it.

There are two uncyclopedia articles about slashdot, there's slashdot.org [wikia.com], a parody of slashdot, and slashdot (country) [wikia.com].

From the parody (formatted to look like slashdot):

Jump to: navigation, search
Slashdot
News for nerds. Stuff that is unimportant and pulled from various web sites across the internets and really doesn't matter all that much.
Userpage | Preferen

Re:

[morgan_greywolf]

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

Well, they seem to beat the hell out of OpenOffice.org, anyway. There's a bug in Calc that's been there for like...years now. OTOH, it's not a security bug, at least. ;)

Re:

[Bert64]

There are bugs in MS products that have been there for years too, some of them are even security related...

Word had a bug since 97 whereby the macro function for counting lines ignored lines with bullet points on them, but when you came to insert to a particular line it counted bullet points and so would put stuff in the wrong place... They fixed it in 2007 with a security hotfix for word 2003 (wtf was a fix like this doing in a security hotfix?), but 2007 remained broken (may have been fixed by now, but i'

Re:But let's not forget...

[Gnavpot]

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

I assume you were funny, but in case you were not:

Microsoft counts from the day they publicly confirm the existence of a bug.

Most others counts from the day the bug was publicly known.

So if Microsoft delay the confirmation of a publicly known bug, the numbers will work in their favour.

Re:

[JohnBailey]

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

Well they would do. they use a different track.

Re:

[Anonymous Coward]

If you don't even know that corporations still use it, why would I trust your advice? You're obviously stupid.

I love Linux and Open Source, but posts like this really piss me off.

Re:

[Vancorps]

As much as I don't like the idea of replacing Microsoft on the desktop with any Linux I gotta appreciate the name.

Big Buck Hunter Safari for the win! The original is too easy by comparison.

Re:

[colinrichardday]

What? Just a CD, not a DVD?

good for amerika

[Robert Halcombe]

My russian friends can make zero day exploits all day long. It's good for the economy. Keeps you silly american busy. I love amerika robert halcombe rhalcom@sovgrp.com

Put it into perspective...

[Anonymous Coward]

I have an excel spreadsheet that shows the history of such an exploit. Please open the following...

Does this affect Open Office Calc & Apple Numb

[Neanderthal Ninny]

I wonder if any one has tested this exploit on Open Office Calc, Apple Numbers and other MS Office compatible applications?

Re:

[Anonymous Coward]

Won't work as-is, and I've never heard of an exploit being successfully 'ported' to OO or whatever. XLS is like the other "classic" office formats basically just a serialised object memory dump, which is why it's such a horrific mess and full of vulnerabilities. However the vulnerabilities always seem to be overwrites dependent on the exact memory structure that the office parser produces, rather than generalised "whoops we passed user input to an exec()" type ones.

Re:

[Bert64]

Since OO is based on reverse engineering, it has a far more robust parser for the MS formats... Because they don't know what to expect, their parser is much better at handling unexpected data.. This is also why OO is often much better at opening damaged files.

No patch for...

[iFiLa]

Ha! Skimming through the subject lines, I thought this post read "No Patch For Adobe Zero-Day Flaw".

zero-day?

[Mr 44]

Can we stop using the term "zero-day"? It is supposed to refer to malware that is released the same day the exploit becomes public knowledge. At this point, the excel bug still may not be fixed, but its been a heck of a lot more than zero days since it was publicized...

microsoft is a monopoly

[d_leiderman]

This just proves that being a monopoly allows you to ignore your users.

Excel is a major tool in many corporates, and having such an exploit can make havoc.

no the least, this shows that making your own rules can help you claim whatever you want - time to fix / number of vulnerabilities, etc.

Design to last - blog on system engineering [design-to-last.com]