Serious Vulnerability Exposed in Excel, PowerPoint

Microsoft Corp. Thursday night released a hotfix to patch a serious new vulnerability in its Excel and PowerPoint Office productivity applications.

The software giant acknowledged that the latest vulnerability makes it possible for an attacker to embed a malicious macro in a malformed Excel or PowerPoint document that can execute without first requiring a user’s permission.

In a bulletin that it distributed to the subscribers of its security mailing list, Microsoft confirmed that the existence of the new vulnerability and said that it affects Excel and PowerPoint versions 98, 2000, 2001 and 2002.

Excel and PowerPoint use a security engine – dubbed the macro-detecting framework –that first scans a document for macros prior to opening it, and which also requires a user's approval to run any macros that are embedded in a document.

This vulnerability is enabled because it’s possible for an attacker to create a malformed Excel or PowerPoint document that prevents the security scanning mechanism in both Office applications from detecting and scanning an embedded macro in the first place. Consequently, when a user double-clicks and opens a document of this type, the undetected macro is permitted to execute – even in cases in which a user has disabled macro support altogether.

Microsoft says that an attacker who successfully exploits a vulnerability of this kind could take any action on a compromised system that a legitimate user herself could take – and also cautions that code which the macro runs executes in the privilege context of the locally logged-in user. A malicious attacker could also script a macro to perform a variety of tasks – including disabling a user's Office security settings so that subsequently-opened Office documents would no longer be checked for macros.

The software giant acknowledged that older versions of Excel and PowerPoint could also be affected by this vulnerability. Because it has discontinued support for Office 97, however, Microsoft says that it has no plans to release patches for either application.

Redmond patched a similar vulnerability that affected Word versions 97, 98, 2000, 2001 and 2002 in June of this year.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus