Excel security flaws out in the open

You have to love this quote:

“IT guys should tell end users right off the bat that if they see an unrecognizable Excel document in their inbox, they should treat it like porn — it’s not something you should be opening up at work.”

Full article here.

I guess this could probably used as another excuse to kill VBA in future versions of Excel (and Office).

Posted in Uncategorized

11 thoughts on “Excel security flaws out in the open

  1. Excel 2007: 3 advisories over lifetime, 0 unpatched (source)

    Excel 2003: 14 advisories over lifetime, 1 unpatched (http://secunia.com/product/4970/?task=advisories“>source)

    The only way they could have counted 33 over the last 18 months is by counting each advisory multiple times – one or more times per each Excel version. Unless you have multiple versions installed “average of almost two every month” is a meaningless statistic. For Excel 2007 the rate is less than one vulnerability every four months, all pre-SP1.

    VBA is not going anywhere any time soon.

  2. “The increase in attacks in Excel are numerous and the application seems to be at the forefront of ushering in frequent application-level attacks that we’re seeing more of now than ever,”

    The forefront? How many people did award-winning journalist Jabulani Leffall have to interview before he founds someone with just the right amount of hyperbole?

  3. What would VBA be replaced with and what would make that replacement any more effective than changing seats on the Titanic? Is .NET any less suseptable to black, gray or white hat hackers? I doubt it.

  4. Doco,

    I believe the phrase is rearranging the deck chairs on the Titanic.

    But I agree and disagree with you. I think .Net is a little less susceptible to the script kiddie, but not to someone who is determined. But, lately, those who are determined to hack are those looking to make money out of it. I don’t know if that’s something they’re going to get out of an Excel attack.

    I don’t know how easily OO can be targeted with Python code so I can’t comment, except for that the limited userbase inherently makes it more secure by being a smaller target.

  5. Dick –

    Notice that many of the quotes came from “security experts” that owned companies that provided security to other companies? If they can convince their clients that problems exist, they can increase their revenues. I’ve been using a VM for internet access, without any AV, and the only “infection” I’ve gotten have been so called tracking cookies. No real threats.

    What the IT guys fear from letting users use Excel and VBA is the loss of control over those users.

  6. “IT guys should tell end users right off the bat that if they see an unrecognizable Excel document in their inbox, they should treat it like porn — it’s not something you should be opening up at work.”

    Most of the Excel files we work with are unrecognizable. Besides, If I treated every spreadsheet like porn, I’d WOULD open it up and take a gander. Look at that table structure…Wowza!

  7. hey you know what, if only they wanted to install a certificacte server on the network so that users could sign their documents, they would also be able to let the security settings on HIGH…

    guess what, it is easier to set it to low rather than installing the server and teaching the users how to register a certificate

  8. Mike said: “If I treated every spreadsheet like porn, I WOULD open it up and take a gander.”

    I’m sure Mike wasn’t the only one thinking this.

  9. I’m with Jon, so much of this ‘security’ fluff is a pure powerplay, by people who think their job it is to stop everyone else working.

    Bear in mind that many of these security issues are not macro driven, they are carefully corrupted .xls (and other) files that will upset Excel when it tries to open them. They may not contain any macros at all.

    ‘treat like porn…’, If they were treated like porn the sys admins would have already removed them from your email, quarantined them, sent you (and the sender) a threatening email, burned them onto cd and taken them home for personal use.

  10. If you want secure there is only one sure method. Locate the button labeled 1/0 and (firmly but gently)… press. In ten seconds or less you will be secure. Other than that it seems to me that common sense is one of the best defences.

    Keep your anit-virus up to date. Don’t open anything to do with Viagra or big boob (can you say boobs on this forum). Is someone who never sends you jokes suddenly send you a joke… the joke’s not funny… its a virus. If someone needs you to look at something urgently, but nothing they ever do is urgent… it’s not urgent… it’s a virus. Finally most of the people who want your e-mail address have no interest in talking to you about anything you care about. Give them your hotmail account and then never check that account.

    My final caution. If you buy something from a store and they want to know your address, find out if they make housecalls to fix whatever it is you just bought. If the answer is no, then they don’t need your address.


Posting code? Use <pre> tags for VBA and <code> tags for inline.

Leave a Reply

Your email address will not be published.