Bug hunter reports flaw in Excel

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-924704.html?tag=fd_top

By Matt Loney 
Special to CNET News.com
May 28, 2002, 4:40 PM PT

A security hole in Microsoft's Excel XP spreadsheet application could
allow hackers to take over a computer by using specially formed XML
style sheets, according to a security expert.

Georgi Guninski, a well-known security adviser, posted an advisory to
his Web site on May 24 alerting people to the security hole. He said
that the problem arises when a person opens an Excel spreadsheet file,
choosing to view it with an XML style sheet. If the style sheet
contains specially formed code, the PC will try to run that code,
Guninski said.

"As script kiddies know, this may lead to taking full control over a
user's computer," Guninski said. "Excel does not give any warning to
the user--just asks whether to use the style sheet or not." By
default, however, Excel does not display spreadsheet files with the
style sheet, he added.

XML, or Extensible Markup Language, is a method that allows
programmers to set up a standard way of describing digital documents,
such as word processing files--or, as in this case, Excel
spreadsheets.

On his site, Guninski has posted a sample piece of code that would
fool Excel XP into thinking it contains a link to a style sheet but in
fact runs a command that lists directory contents on a person's PC.

To be safe, Guninski wrote on his site that users should not use XML
style sheets. Guninski said that Microsoft was notified of the flaw on
May 23.

A Microsoft representative said the software giant was researching the
report and criticized Guninski for going public with the alleged flaw.

"Responsible security researchers work with the vendor of a suspected
vulnerability issue to ensure that countermeasures are developed
before the issue is made public and customers are needlessly put at
risk," the representative said.

The flaw is just the latest in a number of security alerts related to
Microsoft products. Last week, the company warned people using Windows
NT and 2000 of a new flaw in its debugger tools that could give
attackers complete control of a system once the attackers gained basic
network access.

A week before, Microsoft urged people using Windows to download a fix
for Internet Explorer after six new flaws had been found in the Web
browser. The software company called three of the flaws critical, but
only one of them--a cross-site scripting error that affects only
Internet Explorer 6.0--would allow an attacker or a worm to run a
program on the victim's computer.

ZDNet U.K.'s Matt Loney reported from London.

News.com's David Becker contributed to this report.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.