MS Excel Hit with Security Holes in a Month

Probably the most used application in the Microsoft Office suite, Excel has been hit with three security holes this month.

Microsoft has published a Security Advisory, warning Excel users of an Excel vulnerability that allows remote code execution. Affected users should check the suggested workarounds, since this vulnerabilty is already being exploited: see here for a representative malware.

Then, it was found out that entering a very long URL in an Excel cell will cause a buffer overflow. Microsoft has not published any advisory regarding this vulnerability. Full Disclosure has the details here. Here is a description of a malware that exploits this vulnerability.

And, lastly, another security hole in Excel with regards to Shockwave Flash Objects embedded in a spreadsheet has been discovered. This Flash file may contain malicious JavaScript code, and this file is opened when an Excel workbook where this Flash file is embedded is opened. Full Disclosure has the following details. Here is the malware description that exploits this problem.

As usual, be careful when you have received an Excel file as an attachment to an unsolicited email, or email coming from unknown or untrusted sources. Take note that Microsoft has not yet released patches for the said vulnerabilities.