Print this article | E-mail this article | Comment on this article

Another Malformed String Exploit Plagues Excel

By Scott M. Fulton, III, BetaNews

February 5, 2007, 12:24 PM

This morning, Microsoft acknowledged the discovery of a new and active exploit involving a malformed string that can trigger a typical overflow in Excel, with the usual bypassing of privilege dangers that ensue. Although the company says the attacks it has seen thus far appear limited and targeted, it’s repeating its warning to users not to open spreadsheets sent in e-mails from untrusted users.

Contrary to some interpretations, this is not an Outlook problem. = Instead, it appears to involve spreadsheets that contain intentionally malformed records where the image data for embedded bitmaps in a record, or IMDATA, have been malformed to trigger buffer overflows.

What has not yet been made clear -– for obvious reasons –- is exactly how the chain of events triggered by the malformed string leads to the execution of malicious code perhaps embedded elsewhere in the false image data, though such mechanisms often turn out to be less ingenious than many would speculate.

According to Microsoft, the exploit involves versions of Excel shipped as part of Office 2003, Office XP, and Office 2000 versions for Windows, as well as Office 2004 for Macintosh, although there are no reports of active exploits against Mac users.

Office 2007 uses an entirely new XML-based spreadsheet format by default; however, there are no reports of Excel 2007 opening spreadsheets in the older format (which they can certainly do) and becoming susceptible to the same overflow trouble.

As many as five malformed records attacks involving these same Excel versions were discovered in January alone; and today some security companies, including CA, are treating this new instance as another exploitation vector of an existing category.

Add a Comment (5 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By Dev3lop3

edited Feb 5, 2007 - 5:46 PM

Yeah, but...

ZOIKS AGAIN!
The grass is much browner on your side of the fence... :)

Score: 0

By dan-0

edited Feb 5, 2007 - 2:04 PM

how many times do you have to say "do not open email attachments from someone you do not trust and did not expect" before it sinks in?

Score: 0

By Paul Skinner

posted Feb 5, 2007 - 2:38 PM

About as long as it takes for people to switch to Office 2007 by the looks of things.

Score: 0

By zridling

posted Feb 5, 2007 - 5:28 PM

That's a nice racket Microsoft has there — upgrade or else your data will suffer attack after attack after attack. Funny how handing over (ransom?) money is always the answer for Microsoft.

Score: 0

By Paul Skinner

posted Feb 5, 2007 - 7:44 PM

"upgrade or else your data will suffer attack after attack after attack"

You left off the end of that:

"if you're retarded enough to open email attachments from people you don't know."

But yes, that's how all companies work. They need customers to buy their new updated software, it's how they get profit so that the owners can get rich. It's not new.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal