For the third time this month, a security flaw has been found relating to Excel, an application not normally associated with viruses and bugs. However, in this case, it’s not directly an Excel problem. At the same time, Microsoft had to issue a patch for a patch released on June 12, which was supposed to fix a critical security hole.
Fortunately, the newly discovered flaw is not that severe. The fix was to Windows’ Routing and Remote Access (RRA) service, known as security bulletin MS06-025. While the security hole was fixed, it broke direct dial-up scripting for some users with outdated modems.
A new document has been posted on the Microsoft support site addressing this issue. Microsoft is working on the patch but did not set a deadline for when a fix will be issued.
The Excel flaw is the third flaw to be found in the widely used spreadsheet, which isn’t normally associated with viruses and security holes. This attack could be used to run unauthorized software on a PC, but it requires the user to open an Excel document first and then click on a hyperlink. A warning about the vulnerability was first published on the Securitytracker.com, which follows such errors.
The attack takes advantage of a flaw in Microsoft’s hyperlinking dynamic link library (DLL) and Adobe’s Flash technology, which can be used in an Excel document. When the user opens the Excel file and clicks on a link, the malicious Flash code will execute automatically without prompting the user to run, and can theoretically do more than just execute a Flash animation.
This is the third problem facing Excel in a week. On June 16, Microsoft alerted users to an undefined vulnerability and warned them not to open file attachments from unknown sources. A second, less critical flaw was found days later. Microsoft still has yet to issue patches for those two flaws.
Microsoft addressed the latest flaw in a blog posting that stated the flaw was actually in the hlink.dll, which is a Windows component that handles operations involving hyperlinks.
“Any attempt to exploit this vulnerability would require convincing a user to open a specially-crafted Excel document. The user would then also have to locate and click on a specially-crafted long link in that document. We have not found any way to attempt to exploit this vulnerability that involves simply opening a document: a user must click a hyperlink in the document,” wrote Christopher Budd in the posting.
Once again, Microsoft reiterated not opening files from unknown senders, something people should have learned by now. “It’s no different than Word docs. When you get something from a stranger, you have to take a reasonable amount of caution not to blindly open things up,” said Stuart Moore, CEO of SecurityTracker.
Although the flaw is viewed as an Excel problem, the flaw is in the hyperlinking DLL and Excel was simply used as a proof of concept. “The way Microsoft sometimes smashes their apps and OSes together, sometimes it’s hard to tell where an app problem stops and an OS problem starts,” he said.