Microsoft Not Patching Excel Security Flaw
In one of the more disappointing announcements of late coming from Microsoft, they announced today that even though they were rolling out three security updates, including a critical one, they weren't fixing one in Excel that, sadly, crackers are now exploiting.
Symantec's researchers, according to a Computerworld article on the Excel bug, described it this way:
"The vulnerability is a file format bug in all supported versions, including the latest -- Excel 2007 on Windows and Excel 2008 for the Mac."
Given that it is such a widespread bug, it makes sense that it takes time to sort through all the ramifications of such a fix; however, we'd really hoped that for that very reason, it being a widespread bug, because it does affect all versions of Excel, Microsoft would have taken after this patch aggressively and come up with a fix more quickly.
Now, given that Microsoft only releases patches 12 times a year, it's especially important to know that the person sending you an Excel spreadsheet really has sent the sheet, and it's equally important to make sure you're staying atop antivirus software updates.
We're going to continue to monitor the status of this bug and any fallout from it (or a subsequent patch) here, so watch this section for details as they become available.
Editors update: Having missed the link to the Microsoft Security Advisory on Excel, I thought it prudent to include it should someone come across this post looking for information on dealing with the exploit.
Since having posting this piece Microsoft has subsequently made several patches available for the different versions of Microsoft Office. Here's MS security bulletin MS09-009 on how to patch Microsoft Excel against this (and other vulnerabilities).
TrackBack URL for this entry:
Listed below are links to weblogs that reference Microsoft Not Patching Excel Security Flaw :
The comments to this entry are closed.