IP: HOLE IN THE WEB LEAVES SECURITY GAP (from Edupage)

[Dave Farber <farber () cis upenn edu>]

Israeli computer security firm Finjan Inc. is publicizing a potentially 
serious security "hole" that exploits a function of Microsoft's Excel 
spreadsheet software to booby-trap Web sites. Excel is frequently used to 
divide Web sites into "frames," and Finjan says a malicious cracker could 
create code that would be secretly downloaded onto Web site visitors' 
computers and wreak havoc among spreadsheet pages, word-processing files or 
other data without the user's knowledge. The hole, which is believed to 
have been discovered first in Russia, requires that the user's machine 
contain the Excel software, but Excel doesn't have to be running in order 
for damage to occur. "We think this is probably the biggest security hole 
in Internet history," says Finjan's CEO. "Any student at Stanford could 
potentially exploit it." Microsoft says it issued a bulletin in early 
December warning of the problem, and is offering a software patch to fix it. 
"We have not gotten a single customer inquiry on the issue yet," says John 
Duncan, a product manager in Microsoft's Office group. "But any security 
issue is serious, and that is why, as soon as we've identified something, we 
are going to respond very aggressively." (Wall Street Journal 5 Jan 99)