Finjan: MS didn't address Excel security hole

Although Microsoft identified a security vulnerability in its Excel spreadsheet in December, it failed to provide a complete fix for the problem - and now a real-world example of code that exploits it has been discovered, according to security company Finjan Software. Finjan says the so-called Russian New Year exploit uses a combination of HTML code and the Call feature in Excel to mount attacks. It says a hacker could use it to request that Excel copy information from a PC or install code, such as the BackOrifice hacker tool.

Although Microsoft identified a theoretical security vulnerability in its Excel spreadsheet in December, the company has failed to provide a complete fix for the problem, and now a real-world example of code that exploits it has been discovered, according to security company Finjan Software.

Finjan claims that the Russian New Year exploit -- which is said to have originated somewhere in Russia around the New Year -- uses a combination of HTML code and the Call feature in Excel to mount attacks. A hacker using mobile code could use it to request that Excel copy information from a PC or install code, such as the BackOrifice hacker tool, according to Finjan officials.

"This Call function has the ability to call [DLLs] or native code," said Penny Leavy, vice president of worldwide marketing and business development at Finjan. "All you have to have is Excel 95 or 97 installed on your machine; it does not have to be running."

On Dec. 10, 1998, Microsoft issued a patch for the vulnerability. However, according to Finjan officials, Microsoft did not go far enough: It points out that the patch is available only for Excel 97, not Excel 95; that the patch is also available only for English versions of the product; and that it does not disable the use of macros to access Call.

"We are not anti-Microsoft on this," said Ron Moritz, director of the technology office at Finjan. "[But] they haven't gone all the way in addressing [the problem]."

Microsoft, however, accused Finjan of being alarmist.

"They [Finjan] are describing a scenario that's consistent with what we described in December, and I'm not sure why they're promoting it as something new," said John Duncan, Microsoft Office product manager. "This issue is nothing new, and it is not different in any way from other potential situations that a malicious hacker could engage in. I'm not sure how it helps customers to be alarmist."

Both companies agreed, however, that the short-term answer is to disable the Call feature in Excel.

The Excel 97 fix can be found at officeupdate.microsoft.com/downloadDetails/xl97cfp.htm.

Finjan Software Inc., in San Jose, Calif., can be reached at www.finjan.com. Microsoft Corp., in Redmond, Wash., can be reached at www.microsoft.com.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place

[]