« New Trojan Targets Unpatched Microsoft Excel Flaws | Main | Conficker Removal Tool Released »
03/05/2009
Microsoft Not Patching Excel Security Flaw
Co-Editor
In one of the more disappointing announcements of late coming from Microsoft, they announced today that even though they were rolling out three security updates, including a critical one, they weren't fixing one in Excel that, sadly, crackers are now exploiting.
Symantec's researchers, according to a Computerworld article on the Excel bug, described it this way:
"The vulnerability is a file format bug in all supported versions, including the latest -- Excel 2007 on Windows and Excel 2008 for the Mac."
Given that it is such a widespread bug, it makes sense that it takes time to sort through all the ramifications of such a fix; however, we'd really hoped that for that very reason, it being a widespread bug, because it does affect all versions of Excel, Microsoft would have taken after this patch aggressively and come up with a fix more quickly.
Now, given that Microsoft only releases patches 12 times a year, it's especially important to know that the person sending you an Excel spreadsheet really has sent the sheet, and it's equally important to make sure you're staying atop antivirus software updates.
We're going to continue to monitor the status of this bug and any fallout from it (or a subsequent patch) here, so watch this section for details as they become available.
Editors update: Having missed the link to the Microsoft Security Advisory on Excel, I thought it prudent to include it should someone come across this post looking for information on dealing with the exploit.
Since having posting this piece Microsoft has subsequently made several patches available for the different versions of Microsoft Office. Here's MS security bulletin MS09-009 on how to patch Microsoft Excel against this (and other vulnerabilities).
TrackBack
TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a0133f40d81f4970b0134876491be970c
Listed below are links to weblogs that reference Microsoft Not Patching Excel Security Flaw :
The comments to this entry are closed.
Comments
You can follow this conversation by subscribing to the comment feed for this post.