Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Vendors Spot Second Excel Bug

Just days after Microsoft confirmed that its Excel spreadsheet had an unpatched vulnerability currently being exploited by attackers, security vendors on Tuesday reported a second zero-day bug in the popular business application.

Last Thursday Microsoft acknowledged that a critical flaw in Excel was being used by attackers who had targeted a single company, the second such admission in a month. In May, a bug in Microsoft Word was used in similar fashion by hackers who targeted a small number of victims. A week ago, Microsoft patched the Word flaw.

Monday, the Redmond, Wash. developer issued a security advisory that promised a patch for the first Excel vulnerability and spelled out several steps enterprises and individuals could take to protect their systems until a fix was released.

In the advisory, Microsoft noted that Excel 2000, 2002, and 2003 for Windows (as well as the for-free Excel Viewer 2003 utility), and Excel v. X and 2004 for the Mac were at risk. The company also recommended several different defensive strategies, ranging from blocking all Excel-related file types at the gateway to deleting 40 keys from the Windows Registry to block Excel documents from opening directly within the application.

Tuesday, however, security companies reported that proof-of-concept exploit code had gone public for yet another Excel bug, this time one in a DLL that handles hyperlinks in Excel worksheets.

  • 1