Microsoft warns of new security issues in PowerPoint, Excel

From...

By Jaikumar Vijayan

(IDG) -- Microsoft is warning users about a security hole in its popular Excel and PowerPoint software that could let malicious attackers take control of their computers.

The vulnerability affects Microsoft Excel 2000 and 2002 for Windows and PowerPoint 2000 and 2002 for Windows, as well as various versions of the software for the Macintosh platform, according to an advisory the company posted Thursday.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Internet vulnerabilities to cyberterrorism exposed How vulnerable is the U.S. IT infrastructure? Microsoft offers security program for the enterprise Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

Patches for the affected software are available immediately and should be applied as soon as possible, Microsoft says.

Macro vulnerability

The vulnerability exists in the way macros are detected in PowerPoint and Excel documents, according to the company.

Macros are basically small pieces of code in applications such as PowerPoint and Excel that automate certain tasks, such as finding and replacing text, on behalf of the user.

In the past, attackers have created malicious macros capable of deleting or changing files or moving them to different locations, and have hidden the code in PowerPoint and Excel documents.

To deal with this threat, Microsoft has for some time included a functionality in both applications that scans for the presence of macros in all PowerPoint and Excel documents. The feature alerts users if a macro is detected, allowing the user to decide whether to permit the macro to be executed.

Undermining protection

The latest vulnerability lets users create PowerPoint and Excel documents that skirt this protection, allowing macros to execute automatically without user permission, says Motoaki Yamamura, a senior development manager with Symantec's security response team.

As a result, a cracker could create and send PowerPoint and Excel documents that, when opened, would cause malicious code to run in the background without the victim's knowledge.

Because users aren't alerted to the presence of a macro in such malformed documents, "They might feel secure, when in reality they are not," Yamamura says.

It would require an attacker with a good understanding of the software and how Microsoft file formats are structured to exploit the hole, Yamamura says.

The vulnerability was first brought to Microsoft's notice about two months ago by Symantec.

News of the latest hole comes, ironically enough, one day after Microsoft rolled out a company-wide program called Strategic Technology Protection Program, which it says is designed to make it easier for corporations to secure their Windows environments.