The Windows Observer--New Excel Vulnerabilities Targeted in Zero-Day Attacks

Newsletters	Subscriptions	Forums	Safari	Store	Career	Media Kit	About Us	Contact	Search	Home

Volume 3, Number 21 -- June 21, 2006

New Excel Vulnerabilities Targeted in Zero-Day Attacks

Published: June 21, 2006

by Alex Woodie

Two undisclosed vulnerabilities in Excel are being exploited in zero-day attacks, according to security analyst groups. Just as Microsoft posted a workaround on its TechNet security site for the first vulnerability on Monday, a second zero-day vulnerability surfaced on Tuesday. Users are advised to be very careful with Excel documents until the program can be patched, which may not be for weeks.

Microsoft said last week it became aware of an attack carried out that requires a user to open a maliciously crafted Excel spreadsheet. "We've received a single report from a customer being impacted by an attack using a new vulnerability in Microsoft Excel," said Microsoft's Mike Reavey in the company's Security Response Center Blog last Friday.

The first vulnerability affects all current versions of Excel, including Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Excel 2004 for Mac, and Excel v. X for Mac. Microsoft notes that, in order for this attack to be carried out, "a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," Reavey says. Microsoft's TechNet security team had investigated the problem, and issued a workaround, or instructions on how to minimize exposure to the problem in lieu of a patch, in Microsoft Security Advisory 921365 on Monday.

A second zero-day vulnerability was reported Tuesday by security researcher Secunia. The group, in its advisory SA20748, says the flaw is triggered when users click on a malformed link (which could indicate a problem in the underlying Windows operating system and not necessarily in Excel). Secunia says the flaw is not being actively exploited; however, the vulnerability is very easy to exploit, the group says, and other publications have reported that exploit code is already making rounds on the Web.

The episodes are reminiscent of the recent zero-day attack on Word (see "Zero-Day Word Exploit Attacks from Asia Reported"). Microsoft patched that flaw last week. However, Excel users may have to wait until the next round of patches on July 11 for a fix for the newly discovered Excel vulnerabilities.

Sponsored By
MKS

Knowledge is Power.

MKS brings you real-time visibility and traceability across platforms,
teams and the entire application lifecycle from requirements through deployment.

More than 60% of software projects in the U.S. fail, and poor requirements is
one of the top 5 reasons. Are your projects at risk?

With poor requirements being cited as one of the top 5 reasons for software project failures in the U.S. it is clear that requirements management must be an integral part of the development process, and is vital to mitigating risk on large projects. MKS offers you a truly unique solution - the first requirements management tool built into a complete application lifecycle management solution. The result is greater visibility and traceability for requirements throughout the lifecycle and better communication between development, QA and business users.

For more information, download the white paper: An Innovative Approach to Managing Software Requirements

Components of MKS Integrity for application lifecycle management include:
· MKS Requirements for integrated requirements management
· MKS Integrity Manager for process and workflow management and defect tracking
· MKS Source Integrity Enterprise for software configuration management,
version control and globally distributed team development
· Implementer for software configuration management and deployment on the iSeries
· OpenMake for enterprise build management
· MKS Build and Deploy for deployment management to production environments

MKS integrates with leading modernization tools such as IBM WebSphere and Microsoft Visual Studio .NET.

For more information, visit http://www.mks.com/solutions/index.jsp

Contact MKS Sales at 1-800-613-7535 or sales@mks.com

Editor: Alex Woodie

Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan

Publisher and Advertising Director: Jenny Thomas

Advertising Sales Representative: Kim Reed

Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Micro Focus: Develop, extend and deploy applications with Server Express and Enterprise Server
Wolf Computer Consulting: Reliable service and affordable rates for business computing needs
COMMON: Join us at the Fall 2006 conference, September 17-21, in Miami Beach, Florida

THIS ISSUE SPONSORED BY:
Vision Solutions OpenLogic Lakeview Technology World Data Products MKS

TABLE OF CONTENTS

Windows Improves in Reliability, Yankee Finds

Microsoft Unveils LOBi to Unite 3rd Party Apps with Office

Bill Gates Bowing Out

Dell Pre-Announces Generation 9 of PowerEdge Servers

But Wait, There's More:

Vice President In Charge of Windows Live Leaves Microsoft . . . New Excel Vulnerabilities Targeted in Zero-Day Attacks . . . Microsoft Launches Windows Live Messenger . . . Windows Compute Cluster Server Demoed at Stockbroker Conference . . . Windows Patches Kill Operations Console on V5R3 and V5R4 . . . Middleware Sales Continue to Grow in 2005, IBM Still the King . . .

The Windows Observer

BACK ISSUES


Happy 18th Birthday, AS/400; Time to Leave the Nest OS/400 V5R3 PTFs Can Corrupt Licensed Internal Code OS/400 Shops Share Their Training Experiences The X Factor: Virtual Server Sprawl


Cray Lands $200 Million Linux-Opteron Super Deal with DOE HP Says It Will "Blade Everything" As Next Gen Boxes Launch JBoss Moves Into Systems Management, Delivers Seam 1.0 The X Factor: Virtual Server Sprawl


Middleware Sales Continue to Grow in 2005, IBM Still the King Top Mainframe Stories and Vendor Announcements Chats, Webinars, Seminars, Shows, and Other Happenings


OpenSolaris: One Year Down, Participation Up Merrill Lynch Cases IT Spending, Server Buying Patterns HP Says It Will "Blade Everything" As Next Gen Boxes Launch The X Factor: Is Memory-Based Software Pricing the Answer?