Printed from www.pcpro.co.uk
'Critical' flaws in Office revealed
Posted on 15 Mar 2006 at 10:36
Microsoft is reporting several critical vulnerabilities that affect various Office applications, in particular the Excel spreadsheet program. The flaws, which affect a number of different versions of Office applications, could allow a hacker to gain control of a computer if the user has administrative rights.
All versions of Office and the Microsoft Works suite from 2000 onwards are affected. Unusually, Microsoft is reporting that many of the security holes relating to Office software not only affect PC versions but also those of the Macintosh.
There are a total of five reported vulnerabilities relating to Microsoft Excel. These include problems that occur when malformed range, file format parsing, description, graphic and record flaws are run on a computer. When executed, they open the machine up to being controlled by an attacker.
For example, a remote code execution vulnerability exists in Excel when using a malformed graphic. An attacker could exploit the vulnerability by constructing a specially crafted Excel file that could allow remote code execution.
Microsoft is also reporting a problem with routing slips. The company says that an attacker could exploit the vulnerability by constructing a specially crafted routing slip within an Office document that could allow remote code execution and take control of the system.
In mitigation Microsoft says that while critical, some of the later versions of Office are less vulnerable than earlier ones. In the case of the malformed graphic when running Office XP or Office 2003, the vulnerability could not be exploited automatically through email. For an attack to be successful a user must open an attachment that is sent in an email message.
With Office XP and Office 2003, this vulnerability could not be exploited automatically through a Web-based attack. An attacker would have to host a website that contains an Office file that is used to attempt to exploit this vulnerability. In order to exploit the flaw an attacker would have to persuade a user to visit the website, typically by getting them to click a link that takes them to the attacker's site.
The vulnerabilities are part of the March 'Patch Tuesday' monthly update of security issues relating to Microsoft software. Further details are available at the Microsoft Technet site. As always, the advice is to install the patches as soon as possible.
Author: Steve Malone
advertisement
- Photoshop Mobile on Android review: first look
- ATI Radeon HD 5970: 42% more expensive in the UK
- Office 2010 Beta – 32-bit or 64-bit – The Choice is Clear
- Why Britain's watchdogs have fewer teeth than goldfish
- Tabbed documents: how to make Office 2010 great
- Outlook 2010 People Pane – does it spell death to Xobni
- Microsoft Outlook 2010 screenshots
- Co-Authoring in Word 2010 and SharePoint Foundation 2010
- Microsoft Outlook 2010 screenshots: Backstage view
- Flash 10.1: Developing for Desktop and Device
- Getting to grips with Microsoft's IT Health Environment Scanner
- Virtualise your servers
- The changing face of travel gadgets
- Build your own distributed file system
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
advertisement
