Although Excel is the focus of the new critical vulnerability, according to Microsoft, other Office applications are potentially at risk. Microsoft stressed in a security advisory that attackers have no way of forcing users to visit a malicious Web site or open a malicious file, but the company did not indicate whether it would release an Excel patch prior to the February 13 round of updates.
Microsoft is investigating another zero-day vulnerability in its Office suite of productivity applications after confirming that a critical, unpatched flaw exists in Excel.
The flaw is called a "zero-day vulnerability" because there is no patch to fix it, which means that hackers can actively exploit it. While Microsoft's next scheduled round of Windows updates is next Tuesday, there is no word yet on whether a patch will be released at that time to fix the flaw.
Redmond is investigating a limited number of attacks designed to exploit the vulnerability in several versions of Office, including 2000, 2002, 2003, and 2004 for the Mac.
Excel Threat
In order for this attack to be carried out, according to a security advisory released by Microsoft, a user must first open a malicious Office file, which would typically arrive as an e-mailed attachment -- a common strategy among malware writers. If the attached file is opened, it would give the attacker the same user rights as the victim has.
The vulnerability also can be exploited through a Web-based attack. In this case, the attacker would host a Web site that contains an Office file designed to corrupt system memory and allow the attacker to execute arbitrary code on the targeted computer.
Although Excel is the focus of the vulnerability, other Office applications are potentially at risk, according to Redmond. And while Microsoft stressed in the advisory that attackers have no way of forcing users to visit a malicious Web site or open a malicious file, the company did not immediately respond to requests for comment on the possibility of issuing an Excel patch prior to the February 13 round of updates.
Some users are still waiting for patches for four other critical flaws in Microsoft Word, leaving that software open to attack on at least two fronts. Microsoft has noted that it is working on security updates for Office to address this string of vulnerabilities.
Vista Powered
Office users running productivity applications on Microsoft's new operating system, Windows Vista, could find extra protection because even users logged in as administrators still operate in limited-access mode. Indeed, for all the complaints about Vista's security alerts getting in the way of a smooth computing experience, analysts say the new operating system's enhanced security offers an improvement over Windows XP.
Directions on Microsoft analyst Michael Cherry compared negative user reaction toward Vista's hardened security to air travelers who complain about having to jump through security hoops at airports. When there is a terrorist threat, he said, people stop complaining about waiting in long lines. But when conditions calm, he added, they bark about having to take off their shoes and put them through the scanner.
"Everybody will complain about those user dialogs in Vista until there is an incident," Cherry said. "Then they will think it's wonderful. Security comes at a price."
Microsoft is investigating another zero-day vulnerability in its Office suite of productivity applications after confirming that a critical, unpatched flaw exists in Excel.
The flaw is called a "zero-day vulnerability" because there is no patch to fix it, which means that hackers can actively exploit it. While Microsoft's next scheduled round of Windows updates is next Tuesday, there is no word yet on whether a patch will be released at that time to fix the flaw.
Redmond is investigating a limited number of attacks designed to exploit the vulnerability in several versions of Office, including 2000, 2002, 2003, and 2004 for the Mac.
Excel Threat
In order for this attack to be carried out, according to a security advisory released by Microsoft, a user must first open a malicious Office file, which would typically arrive as an e-mailed attachment -- a common strategy among malware writers. If the attached file is opened, it would give the attacker the same user rights as the victim has.
The vulnerability also can be exploited through a Web-based attack. In this case, the attacker would host a Web site that contains an Office file designed to corrupt system memory and allow the attacker to execute arbitrary code on the targeted computer.
Although Excel is the focus of the vulnerability, other Office applications are potentially at risk, according to Redmond. And while Microsoft stressed in the advisory that attackers have no way of forcing users to visit a malicious Web site or open a malicious file, the company did not immediately respond to requests for comment on the possibility of issuing an Excel patch prior to the February 13 round of updates.
Some users are still waiting for patches for four other critical flaws in Microsoft Word, leaving that software open to attack on at least two fronts. Microsoft has noted that it is working on security updates for Office to address this string of vulnerabilities.
Vista Powered
Office users running productivity applications on Microsoft's new operating system, Windows Vista, could find extra protection because even users logged in as administrators still operate in limited-access mode. Indeed, for all the complaints about Vista's security alerts getting in the way of a smooth computing experience, analysts say the new operating system's enhanced security offers an improvement over Windows XP.
Directions on Microsoft analyst Michael Cherry compared negative user reaction toward Vista's hardened security to air travelers who complain about having to jump through security hoops at airports. When there is a terrorist threat, he said, people stop complaining about waiting in long lines. But when conditions calm, he added, they bark about having to take off their shoes and put them through the scanner.
"Everybody will complain about those user dialogs in Vista until there is an incident," Cherry said. "Then they will think it's wonderful. Security comes at a price."
No comments:
Post a Comment