Network News

X My Profile
View More Activity

Microsoft: Attackers Target Unpatched Excel Flaw

Microsoft Corp. is warning computer users that attackers are now exploiting a previously unknown security hole in the company's Excel spreadsheet software to break into vulnerable systems.

The vulnerability, which appears to be present in all supported versions of Microsoft Excel and Microsoft Office (including Office 2004 and Office 2008 for Mac), could be exploited merely by convincing a user to open a booby-trapped Excel file hosted on a hacked or malicious Web site, or sent as an attachment in an e-mail message.

Microsoft reports that it is "aware only of limited and targeted attacks that attempt to use this vulnerability," and that it is working on shipping a fix for the flaw. Symantec researchers report on the company's blog more or less supporting Microsoft's claim that this flaw is not yet widely being exploited.

But that should not deter readers from following this tried-and-true advice: If you didn't ask for it, be very cautious about opening e-mail attachments. If you're not sure whether someone you know meant to send you an attachment, reply back and check with the sender before deciding whether to download and open it.

Microsoft also released a non-security update further disable the "Autorun" feature in Windows. This feature, on by default in Windows, is what's responsible for displaying the contents of a removable drive -- such as a USB stick or CD-Rom -- when users insert the devices into a Windows PC.

Malicious software writers have long abused this feature of Windows to spread their creations. More recently, this method of spreading made headlines with the emergence of the Conficker worm, which has spread to millions of PCs around the globe - in part due to a security hole Microsoft fixed late last year, but also by infecting removable media and spreading to new systems and networks via the Autorun feature.

Shortly after Conficker became a global pandemic, experts and the U.S. Computer Emergency Response Team and others pointed out that Microsoft's advice on how to disable Autorun in Windows wasn't quite complete.

The supplemental advice on how to do that involves editing the Windows registry -- by most accounts not a place for the computer novice to be mucking around deleting or editing entries. So, the fix Microsoft is releasing should make completely disabling Autorun in Windows as simple as downloading and installing the patch, or grabbing it via Microsoft Update, right?

Nope. The Autorun fix released this week merely changes things so that Windows actually honors whatever registry settings you may have changed for Autorun. According to Microsoft, in order to fully disable Autorun on Windows, users need to have installed the appropriate update from a list of patches Microsoft shipped late last year *and* edit the Windows registry, according to the rather labyrinthine instructions here.

Clear as mud? I thought so too. Perhaps that's why Microsoft issued this as "a security advisory about a non-security update."

By Brian Krebs  |  February 27, 2009; 7:30 AM ET
Categories:  Latest Warnings , Safety Tips  | Tags: autorun, excel, exploit, microsoft  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: ID Fraud, Abusive Debt Collectors Top Consumer Gripes in '08
Next: "Koobface" Worm Resurfaces on Facebook, MySpace

Comments

You should mention that there are significant mitigating factors for the Excel bug, the most important of which is that you can block the bug if you run MOICE (the Microsoft Office Isolated Conversion Environment), a tool everyone should be running anyway. MOICE converts files into and out of the new Office formats. Like so many other Office vulnerabilities, this one is tied to the old formats.

Posted by: lseltzer | February 27, 2009 8:13 AM | Report abuse

Sorry, the MOICE link didnt work in my first post. Here it is: http://support.microsoft.com/kb/935865

Posted by: lseltzer | February 27, 2009 8:13 AM | Report abuse

Sick of Microsoft's endless stream of bugs? Try Linux the no-cost o/s- fast, safe, *free of charge*. Download it onto a spare box and have a look, you'll be glad you did- http://www.ubuntu.com/

Posted by: hairguy01 | February 27, 2009 11:11 AM | Report abuse

Yet another reason to ditch the expensive Microsoft Office suite and download the free, and very capable, OpenOffice.org office suite. Having used it for four years, at Brian's suggestion, I can say it has fulfilled all of my word processing and rather complex spreadsheet needs.

Posted by: AnnArborGuy | February 27, 2009 11:29 AM | Report abuse

A confusing double negative from m$

To turn off autoplay, you need to enable it for all drives.

This dumb guy sees "disable" and thinks on first go through that is what needs to be done.

This knows he's a dumb guy always rereads instructions and then checks to see if was done right, so maybe not so dumb after all

Posted by: kiosk | February 27, 2009 11:32 AM | Report abuse

Now if ONLY Open Office.org

ALSO had a program like OUTLOOK

it would be PERFECT !!!!!!!!!!!!!!

Posted by: brucerealtor@gmail.com | February 28, 2009 3:08 AM | Report abuse

For more about disabling autorun, see my blog at computerworld.

http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives

Microsoft's approach to disabling autorun is poor. Its incomplete, buggy and inconsistent on different versions of Windows as well as inconsistent for different media. In contrast, there is a simple registry zap that does a much better job - it totally neutralizes the true source of the problem, the autorun.inf files.

Posted by: MichaelsPostingID | March 1, 2009 12:15 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company