Serious Vulnerability Exposed in Excel, PowerPoint

Microsoft Corp. Thursday night released a hotfix to patch a serious new vulnerability in its Excel and PowerPoint Office productivity applications.

The software giant acknowledged that the latest vulnerability makes it possible for an attacker to embed a malicious macro in a malformed Excel or PowerPoint document that can execute without first requiring a user’s permission.

In a bulletin that it distributed to the subscribers of its security mailing list, Microsoft confirmed that the existence of the new vulnerability and said that it affects Excel and PowerPoint versions 98, 2000, 2001 and 2002.

Excel and PowerPoint use a security engine – dubbed the macro-detecting framework –that first scans a document for macros prior to opening it, and which also requires a user's approval to run any macros that are embedded in a document.

This vulnerability is enabled because it’s possible for an attacker to create a malformed Excel or PowerPoint document that prevents the security scanning mechanism in both Office applications from detecting and scanning an embedded macro in the first place. Consequently, when a user double-clicks and opens a document of this type, the undetected macro is permitted to execute – even in cases in which a user has disabled macro support altogether.

Microsoft says that an attacker who successfully exploits a vulnerability of this kind could take any action on a compromised system that a legitimate user herself could take – and also cautions that code which the macro runs executes in the privilege context of the locally logged-in user. A malicious attacker could also script a macro to perform a variety of tasks – including disabling a user's Office security settings so that subsequently-opened Office documents would no longer be checked for macros.

The software giant acknowledged that older versions of Excel and PowerPoint could also be affected by this vulnerability. Because it has discontinued support for Office 97, however, Microsoft says that it has no plans to release patches for either application.

Redmond patched a similar vulnerability that affected Word versions 97, 98, 2000, 2001 and 2002 in June of this year.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Will Have Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.