Serious Vulnerability Exposed in Excel, PowerPoint

Microsoft Corp. Thursday night released a hotfix to patch a serious new vulnerability in its Excel and PowerPoint Office productivity applications.

The software giant acknowledged that the latest vulnerability makes it possible for an attacker to embed a malicious macro in a malformed Excel or PowerPoint document that can execute without first requiring a user’s permission.

In a bulletin that it distributed to the subscribers of its security mailing list, Microsoft confirmed that the existence of the new vulnerability and said that it affects Excel and PowerPoint versions 98, 2000, 2001 and 2002.

Excel and PowerPoint use a security engine – dubbed the macro-detecting framework –that first scans a document for macros prior to opening it, and which also requires a user's approval to run any macros that are embedded in a document.

This vulnerability is enabled because it’s possible for an attacker to create a malformed Excel or PowerPoint document that prevents the security scanning mechanism in both Office applications from detecting and scanning an embedded macro in the first place. Consequently, when a user double-clicks and opens a document of this type, the undetected macro is permitted to execute – even in cases in which a user has disabled macro support altogether.

Microsoft says that an attacker who successfully exploits a vulnerability of this kind could take any action on a compromised system that a legitimate user herself could take – and also cautions that code which the macro runs executes in the privilege context of the locally logged-in user. A malicious attacker could also script a macro to perform a variety of tasks – including disabling a user's Office security settings so that subsequently-opened Office documents would no longer be checked for macros.

The software giant acknowledged that older versions of Excel and PowerPoint could also be affected by this vulnerability. Because it has discontinued support for Office 97, however, Microsoft says that it has no plans to release patches for either application.

Redmond patched a similar vulnerability that affected Word versions 97, 98, 2000, 2001 and 2002 in June of this year.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Azure Backup for SQL Server Now Commercially Available

    Microsoft on Monday announced that Azure Backup for SQL Server had reached "general availability" status, meaning it's deemed ready for production-environment use.

  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.