Microsoft warns of PowerPoint, Excel vulnerabilities

Computerworld - Microsoft Corp. is warning users of a security hole in its popular Excel and PowerPoint software that could let malicious attackers take control of a victim's computer.

The vulnerability affects Microsoft Excel 2000 and 2002 for Windows and PowerPoint 2000 and 2002 for Windows, as well as various versions of the software for the Macintosh platform, according to a Microsoft advisory posted Thursday.

Patches for the affected software are available immediately and should be applied as soon as possible, Microsoft said in its advisory.

The vulnerability exists in the way macros are detected in PowerPoint and Excel documents, according to the company.

Macros are small pieces of code in applications such as PowerPoint and Excel that automate certain tasks, such as finding and replacing text, on behalf of the user.

In the past, attackers have created malicious macros capable of deleting or changing files or moving them to different locations. They also have hidden the code in PowerPoint and Excel documents.

To deal with this threat, Microsoft has for some time included a functionality in both applications that scans for the presence of macros in all PowerPoint and Excel documents. The feature alerts users if a macro is detected, allowing the user to decide whether to permit the macro to be executed.

The vulnerability allows users to create PowerPoint and Excel documents that skirt this protection and allows macros to execute automatically without user permission, said Motoaki Yamamura, a senior development manager at Cupertino, Calif.-based Symantec Corp.'s security response team.

As a result, a cracker could create and send PowerPoint and Excel documents which, when opened, would cause malicious code to run in the background without the victim's knowledge.

Because users aren't alerted to the presence of a macro in such malformed documents, "They might feel secure, when in reality they are not," Yamamura said.

It would require an attacker with a good understanding of the software and how Microsoft file formats are structured to exploit the hole, Yamamura said.

The vulnerablity was first brought to Microsoft's notice about two months ago by Symantec.

News of the latest hole comes, ironically enough, one day after Microsoft rolled out a companywide program called the Strategic Technology Protection Program, which is aimed at making it easier for corporations to secure their Windows environments (see story).

Related stories:

• Microsoft stands by IIS despite Gartner recommendation, Sept. 26, 2001



• Secure your users, Sept. 24, 2001



• Resolving Windows insecurities, Sept. 24, 2001

Read more about security in Computerworld's Security Knowledge Center.