Serious Vulnerability Exposed in Excel, PowerPoint

Microsoft Corp. Thursday night released a hotfix to patch a serious new vulnerability in its Excel and PowerPoint Office productivity applications.

The software giant acknowledged that the latest vulnerability makes it possible for an attacker to embed a malicious macro in a malformed Excel or PowerPoint document that can execute without first requiring a user’s permission.

In a bulletin that it distributed to the subscribers of its security mailing list, Microsoft confirmed that the existence of the new vulnerability and said that it affects Excel and PowerPoint versions 98, 2000, 2001 and 2002.

Excel and PowerPoint use a security engine – dubbed the macro-detecting framework –that first scans a document for macros prior to opening it, and which also requires a user's approval to run any macros that are embedded in a document.

This vulnerability is enabled because it’s possible for an attacker to create a malformed Excel or PowerPoint document that prevents the security scanning mechanism in both Office applications from detecting and scanning an embedded macro in the first place. Consequently, when a user double-clicks and opens a document of this type, the undetected macro is permitted to execute – even in cases in which a user has disabled macro support altogether.

Microsoft says that an attacker who successfully exploits a vulnerability of this kind could take any action on a compromised system that a legitimate user herself could take – and also cautions that code which the macro runs executes in the privilege context of the locally logged-in user. A malicious attacker could also script a macro to perform a variety of tasks – including disabling a user's Office security settings so that subsequently-opened Office documents would no longer be checked for macros.

The software giant acknowledged that older versions of Excel and PowerPoint could also be affected by this vulnerability. Because it has discontinued support for Office 97, however, Microsoft says that it has no plans to release patches for either application.

Redmond patched a similar vulnerability that affected Word versions 97, 98, 2000, 2001 and 2002 in June of this year.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus