Announcement

Collapse
No announcement yet.

M$ confirms Excel 'zero day' vulnerability....

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • M$ confirms Excel 'zero day' vulnerability....



    Microsoft Excel zero-day vulnerability confirmed

    By Stan Beer
    Monday, 19 June 2006

    In what is turning out to be the most serious security year on record, yet another zero-day vulnerability has been discovered in a Microsoft Office product. This time a hole in the Excel spreadsheet has been found, with at least one attack confirmed by Microsoft.

    Just one month ago, a hole was discovered in Microsoft Word, that enabled attackers to gain control of a computer through an infected Word email attachment. No sooner has that problem been patched than a new vulnerability in Excel has surfaced, which allows attackers to gain control of a computer when a user opens a malicious Excel attachment called okN.xls which infects the computer with a Trojan horse.

    In a post to a company blog, Microsoft operations manager Mike Reavey said the company had received a single report from a customer being impacted by an attack using a new vulnerability in Microsoft Excel.

    "Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources," said Reavey.

    The new Microsoft Office zero-day Excel vulnerability is so similar to the previous Word vulnerability that some experts believe that the two attacks are connected in an organised criminal conspiracy. With the Word vulnerability, users had to wait weeks until Patch Tuesday to get a fix. It is not clear whether Microsoft will make users wait that long again to receive a patch for the new Office product hole.

    If 2006 is going to be remembered for anything apart from the year Microsoft entered the security space, it could very well be the year that email users had to be careful about opening any emails at all. Flaws in non-executable document attachments and vulnerabilities caused by JavaScript code are rapidly combining to make email an unsafe method to exchange information.
    Dr. Mordrid
    Dr. Mordrid
    ----------------------------
    An elephant is a mouse built to government specifications.

    I carry a gun because I can't throw a rock 1,250 fps

  • #2
    Another example of "Don't open shit you get in email" combined with "MS produced email clients are inherntly unsafe"
    If there's artificial intelligence, there's bound to be some artificial stupidity.

    Jeremy Clarkson "806 brake horsepower..and that on that limp wrist faerie liquid the Americans call petrol, if you run it on the more explosive jungle juice we have in Europe you'd be getting 850 brake horsepower..."

    Comment

    Working...
    X