[orangepeel]

Another zero day Excel flaw spotted
A week after the first
By Nick Farrell: Thursday 22 June 2006, 08:28

JUST AS MICROSOFT tries to fix a zero day Excel hole spotted last week, another bug in the popular spreadsheet program has been found.

According to an alert Symantec sent to customers the second zero day bug could cause Excel to crash after a malicious file is opened and there was a risk that an intruder could commandeer a PC and arbitrary code.

Symantec said that the problem is caused because Excel fails to properly check user-supplied input before copying it to an insufficiently sized memory buffer. It affects Excel 2003 and Excel XP but other versions might also be rolled over by the flaw.

Another security outfit Secunia classified the flaw as "highly critical," one stage below the "oh my god this flaw will sink civilisation as we know it and bring about chaos followed by a return to a stone age culture" classification.

Vole says that its team of experts were looking into the issue. A spokesVole said that a new vulnerability in Microsoft Windows that may be exploited when clicking on a hyperlink with Office documents. However no one has suffered yet, the spokesVole said cheerfully.

This is the second bug in Excel found in a week. The one found last week gives an attacker full control over a vulnerable PC and has been exploited in at least one targeted cyberattack.

More here. µ


******************************************

Nice to know that due to MS's stupid once a month patch system users must sit knowing they have this vulnerability for another 3 weeks! Insane.

Do yourself a favour...

[Dave]

Cheers OP. Reminds me of the boy with his thumb in the Dam

[Steve]

Quote:

Originally Posted by orangepeel

Nice to know that due to MS's stupid once a month patch system users must sit knowing they have this vulnerability for another 3 weeks! Insane.

Do yourself a favour...

I must admit that it seems almost reckless that a company the site of MS generally only releases patches on a monthly basis. You would think that as soon as the patch was teated and ready it would be put out.

Seems like bad PR to me

[orangepeel]

Funny you should say that They originally did the monthly release due to the bad PR/embarrassment involved in having to release patches and security updates daily

They've been banging on about how awesome, security wise, Vista is. Should be interesting to watch.

[Sonsey]

Quote:

Originally Posted by orangepeel

They've been banging on about how awesome, security wise, Vista is. Should be interesting to watch.

I've been delaying upgrading my PC to see what's needed when the new operating software eventually comes out, so I'm watching at all aswell.

[orangepeel]

I'm still running 2k on all my PC's coz it just works. luckilly so are a lot of big corporations so MS won't be doing a "98" to it anytime soon. At least not without being crucified by the big boys.

I just wish my development tools ran on linux or I'd have jumped ship years ago.