 |
||||
 | |
| ||
|
||||
| ||||
|
|
||||
Careers
Convergence
Data Center
LANs
Net/Systems Mgmt.
NOSes
Outsourcing
Routers/Switches
Security
Service Providers
Small/Med.
Storage
WAN Services
Web/e-commerce
Wireless/Mobile
Newsletters
This Week in NW
Tests/Reviews
Buyer's Guides
Opinion
Forums
Special Issues
How to/Primers
Case Studies
Network Life
Encyclopedia
IT Briefings
/
Microsoft warns of PowerPoint, Excel vulnerabilities
 
|
|||
 | |||
|
Microsoft is warning users of a security hole in its popular Excel and PowerPoint software that could let malicious attackers take control of a victim's computer.
The vulnerability affects Microsoft Excel 2000 and 2002 for Windows, PowerPoint 2000 and 2002 for Windows, and various other versions of the software for the Macintosh platform, according to a Microsoft advisory posted Thursday.
Patches for the affected software are available immediately and should be applied as soon as possible, Microsoft said in its advisory.
The vulnerability exists in the way macros are detected in PowerPoint and Excel documents, according to the company.
Macros are basically small pieces of code in applications such as PowerPoint and Excel that automate certain tasks, such as finding and replacing text, on behalf of the user. In the past, attackers have created malicious macros capable of deleting or changing files or moving them to different locations, and have hidden the code in PowerPoint and Excel documents.
To deal with this threat, Microsoft has for sometime included a functionality in both applications that scans for the presence of macros in all PowerPoint and Excel documents. The feature alerts users if a macro is detected, allowing the user to decide whether to permit the macro to be executed.
The vulnerability allows users to create PowerPoint and Excel documents that skirt this protection and allows macros to execute automatically without user permission, said Motoaki Yamamura, a senior development manager with Cupertino, Calif.-based Symantec Corp. security response team.
As a result, a cracker could create and send PowerPoint and Excel documents which, when opened, would cause malicious code to run in the background without the victim's knowledge.
Because users aren't alerted to the presence of a macro in such malformed documents, "They might feel secure, when in reality they are not," Yamamura said. It would require an attacker with a good understanding of the software and how Microsoft file formats are structured to exploit the hole, Yamamura said.
The vulnerablity was first brought to Microsoft's notice about two months ago by Symantec.
News of the latest hole comes, ironically enough, one day after Microsoft rolled out a companywide program called Strategic Technology Protection Program, which is aimed at making it easier for corporations to secure their Windows environments.
For more enterprise computing news, visit Computerworld online. Story copyright (c) 2001 Computerworld, Inc. All rights reserved.
Related Links
 |
 |
 |
|||||
|
|
|
|
|
|||