We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,812 News Articles

Excel users urged to patch exploit

Months-old Excel exploit goes public

Excel users have been urged to immediately apply a patch released earlier this month that tackles attack code that exploits a bug in Microsoft's spreadsheet application.

The exploit, which was posted to the milw0rm.com site, is the first made public for any of the seven vulnerabilities that were patched by Microsoft several days earlier in the security update tagged as MS08-014. That bulletin fixed multiple flaws in Excel 2000, 2002, 2003 and 2007 on Windows, and Excel 2004 and Excel 2008 on the Mac.

"The vulnerability that this exploit is designed to leverage was originally exploited in the wild on January 15, 2008," said Symantec security analyst Aaron Adams in an alert to customers of the company's DeepSight threat notification service. "We believe it leverages CVE-2008-0081 ... [and] involves the manipulation of an uninitialised stack variable by specially crafting an Excel file such that stack data will be pre-populated with user-supplied data and therefore able to influence the value of the uninitialised variable."

Critical Office fixes dominate Patch Tuesday

Microsoft patch confuses Excel 2003 calculations

Microsoft labelled CVE-2008-0081 'critical' on Excel 2000, and 'important' on Excel 2002 and 2003.

Microsoft first acknowledged the Excel bug more than two months ago, when it confirmed that hackers were attacking Windows machines via Excel. At the time, the company's security team characterised the attacks as "targeted and not widespread".

Once the attack code was publicly posted on Friday, Adams advised users to apply MS08-014 immediately. "This should be considered a high priority in light of the availability of exploit code," he said. "Additionally, users should be advised to carry out extreme caution when handling Excel files received online. If possible, Excel files should be filtered at the e-mail gateway until the updates can be applied."

The MS08-014 update was the same one that Microsoft had to re-release last week after it discovered one of the Excel fixes had produced a regression error that generated wrong results in some calculations.

See Business Advisor for the latest technology news, reviews and tutorials, plus the chance to win a Dell laptop


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Do you have the X-Factor too? Mix Off app puts fans in the frame

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'