Second New Flaw Discovered in Excel
As Microsoft scrambles to fix one security flaw in its Excel spreadsheet program, security researchers have uncovered another. First disclosed by Symantec on Monday, the problem could cause Excel to crash after a malicious file is opened.
While a code execution and system takeover risk is also possible, it has not been confirmed, said Symantec. However, security firm Secunia disagreed, saying successful exploitation would allow the execution of arbitrary code.
Additionally, Secunia reported that it had not been notified of any available exploit code or instances of attempts to take advantage of the flaw. But yet again there was disagreement, with Symantec saying exploit code was available.
"The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents," Secunia wrote in its advisory. "This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document."
Both firms suggested refraining from opening untrusted Office documents as a precaution. Microsoft had no immediate comment on this latest issue.
The disclosure came shortly after Microsoft issued a security advisory for the vulnerability in Excel that was disclosed by the company's Security Response Center on Friday. According to Microsoft, Zero-day attacks are being carried out against a vulnerability in Excel 2000, 2002, 2003 and Excel 2004 for Mac.
The exploit, currently being sent via e-mail, could give an attacker the same rights as a user, which could lead to a full system compromise. Although Excel 2002 and 2003 prompt a user before opening a potentially malicious Excel file, Excel 2000 does not.
This second vulnerability affects Excel 2000, 2002, 2003 as well as the Excel Viewer. The fully patched version of Excel 2003 SP2 also includes the flaw, Secunia says.
Microsoft has not said whether it plans to address either issue before the next monthly security updates scheduled for July 11. However, if the past is any guide, it's fairly unlikely that the Redmond company will issue an out-of-cycle patch.