Serious Vulnerability Exposed in Excel, PowerPoint
Microsoft Corp. Thursday night released a hotfix to patch a serious new vulnerability in its Excel and PowerPoint Office productivity applications.
The software giant acknowledged that the latest vulnerability makes it possible for an attacker to embed a malicious macro in a malformed Excel or PowerPoint document that can execute without first requiring a user’s permission.
In a bulletin that it distributed to the subscribers of its security mailing list, Microsoft confirmed that the existence of the new vulnerability and said that it affects Excel and PowerPoint versions 98, 2000, 2001 and 2002.
Excel and PowerPoint use a security engine – dubbed the macro-detecting framework –that first scans a document for macros prior to opening it, and which also requires a user's approval to run any macros that are embedded in a document.
This vulnerability is enabled because it’s possible for an attacker to create a malformed Excel or PowerPoint document that prevents the security scanning mechanism in both Office applications from detecting and scanning an embedded macro in the first place. Consequently, when a user double-clicks and opens a document of this type, the undetected macro is permitted to execute – even in cases in which a user has disabled macro support altogether.
Microsoft says that an attacker who successfully exploits a vulnerability of this kind could take any action on a compromised system that a legitimate user herself could take – and also cautions that code which the macro runs executes in the privilege context of the locally logged-in user. A malicious attacker could also script a macro to perform a variety of tasks – including disabling a user's Office security settings so that subsequently-opened Office documents would no longer be checked for macros.
The software giant acknowledged that older versions of Excel and PowerPoint could also be affected by this vulnerability. Because it has discontinued support for Office 97, however, Microsoft says that it has no plans to release patches for either application.
Redmond patched a similar vulnerability that affected Word versions 97, 98, 2000, 2001 and 2002 in June of this year.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.