[ISN] Bug hunter reports flaw in Excel

From: InfoSec News (isnat_private)
Date: Wed May 29 2002 - 02:49:12 PDT

  • Next message: InfoSec News: "[ISN] Assessment Is Charney's Job One"

    By Matt Loney 
    Special to CNET News.com
    May 28, 2002, 4:40 PM PT
    A security hole in Microsoft's Excel XP spreadsheet application could
    allow hackers to take over a computer by using specially formed XML
    style sheets, according to a security expert.
    Georgi Guninski, a well-known security adviser, posted an advisory to
    his Web site on May 24 alerting people to the security hole. He said
    that the problem arises when a person opens an Excel spreadsheet file,
    choosing to view it with an XML style sheet. If the style sheet
    contains specially formed code, the PC will try to run that code,
    Guninski said.
    "As script kiddies know, this may lead to taking full control over a
    user's computer," Guninski said. "Excel does not give any warning to
    the user--just asks whether to use the style sheet or not." By
    default, however, Excel does not display spreadsheet files with the
    style sheet, he added.
    XML, or Extensible Markup Language, is a method that allows
    programmers to set up a standard way of describing digital documents,
    such as word processing files--or, as in this case, Excel
    On his site, Guninski has posted a sample piece of code that would
    fool Excel XP into thinking it contains a link to a style sheet but in
    fact runs a command that lists directory contents on a person's PC.
    To be safe, Guninski wrote on his site that users should not use XML
    style sheets. Guninski said that Microsoft was notified of the flaw on
    May 23.
    A Microsoft representative said the software giant was researching the
    report and criticized Guninski for going public with the alleged flaw.
    "Responsible security researchers work with the vendor of a suspected
    vulnerability issue to ensure that countermeasures are developed
    before the issue is made public and customers are needlessly put at
    risk," the representative said.
    The flaw is just the latest in a number of security alerts related to
    Microsoft products. Last week, the company warned people using Windows
    NT and 2000 of a new flaw in its debugger tools that could give
    attackers complete control of a system once the attackers gained basic
    network access.
    A week before, Microsoft urged people using Windows to download a fix
    for Internet Explorer after six new flaws had been found in the Web
    browser. The software company called three of the flaws critical, but
    only one of them--a cross-site scripting error that affects only
    Internet Explorer 6.0--would allow an attacker or a worm to run a
    program on the victim's computer.
    ZDNet U.K.'s Matt Loney reported from London.
    News.com's David Becker contributed to this report.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 06:25:00 PDT