A new zero-day threat emerges for Excel

by John McCormick | Feb 05, 2007 9:54:00 PM

Tags: Kerberos, Office suites, Operating systems, Telecom & Utilities, Handhelds, John McCormick, Microsoft Office, phone, Microsoft Corp., Microsoft Windows Mobile, vulnerability, Microsoft Windows, Microsoft Excel, IT Locksmith Newsletter

Takeaway: Microsoft Word isn't the only Office application with zero-day vulnerabilities anymore—a new threat has emerged for Microsoft Excel. In addition, a pair of threats for Windows-based smart phones and two new holes in MIT's version of Kerberos have also surfaced. John McCormick has the details.

Yet another zero-day Microsoft Office threat has surfaced, as well as a pair of threats for Windows-based smart phones. In addition, two new holes in MIT's version of Kerberos start off the month.

Details

Microsoft has released yet another security advisory warning about zero-day threats. Security Advisory 932553 details a zero-day vulnerability in Microsoft Excel (CVE-2007-0671).

While the threat specifically applies to Excel files, other Office applications may also be at risk. This vulnerability affects Office 2000, Office XP, Office 2003, and Microsoft Office 2004 for Mac.

It does not affect Office 2007, Microsoft Works 2004, Microsoft Works 2005, or Microsoft Works 2006. That mean opening an infected file in these applications won't trigger an attack.

To trigger an attack, the user must open the infect file—receiving the e-mail attachment won't trigger an attack. No patch is currently available. As always, the suggested workaround is to not open files from untrusted sources or unexpected files from trusted sources.

Excel isn't the only Microsoft application currently at risk. Two new flaws have emerged in the Windows Mobile software, which could cause cell phones to crash. Initially reported by Trend Micro, the vulnerabilities are in Internet Explorer for Windows Mobile and Windows Mobile Pictures and Video.

In an interesting coincidence, Kaspersky Lab has just announced that its new Anti-Virus Mobile software will cover Windows Mobile and Symbian phones—look for the formal announcement at this week's RSA Conference. Expect pricing to run about $30 per user per year.

Open source threats

In case you missed it, US-CERT recently published warnings about two Kerberos vulnerabilities that apply to the MIT open source version. VU#481564 and VU#831452 both allow a successful attacker to execute arbitrary code. It may also affect other software that uses the GSS-API or the RPC libraries. While Microsoft, of course, uses its own version of Kerberos, the MIT version has a great deal of users too, as do the associated libraries.

Final word

Although the Windows Mobile vulnerabilities probably won't cause any significant trouble, it's still important to note. As more and more users switch to smart phones, flaws in the underlying operating platforms that make the phones "smart" will lead to more and more significant disruptions from such threats.

Don't you just love technology? Pretty soon, your phone will be so smart that it takes calls on its own from people pushing malware. I probably don't use my cell phone a dozen times a year—heck, I don't even answer my landline phone. I rely almost 100 percent on e-mail and tons of filters instead.

But I'm definitely in the minority. A lot of people today only have cell phones. And that raises an important question: Just how do you contact customer support if your phone's been hacked?

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

smart phones? Tech Locksmith | 02/06/07