Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

No Patch For Excel Zero-Day Flaw

timothy posted more than 5 years ago | from the excel-lent dept.

Security 52

CWmike writes "Microsoft said today that it will deliver three security updates on Tuesday, one of them marked 'critical,' but will not fix an Excel flaw that attackers are now exploiting. 'It doesn't look like we're going to see patches for any open Microsoft security advisories,' said Andrew Storms, director of security operations at nCircle Network Security, pointing to three that have not yet been closed. Those include two advisories issued last year — one from April 2008, another from December — and the Excel alert published last week. 'I'm not really surprised that the Excel vulnerability won't be patched, what with the timeline,' said Storms, 'but the others have been open for a long time.'"

cancel ×

52 comments

HAHAHAHHA (3, Interesting)

Culture20 (968837) | more than 5 years ago | (#27082629)

I would be laughing if I didn't have to support MS Office users occasionally. Did they really have to announce that they weren't going to patch excel?

Re:HAHAHAHHA (0)

Em Emalb (452530) | more than 5 years ago | (#27083209)

No, they just aren't doing it this time around. But that doesn't fill the requisite MS bashing quota.

Re:HAHAHAHHA (2, Informative)

Vancorps (746090) | more than 5 years ago | (#27083259)

Honestly, do you really allow excel documents to come from the outside? This is why companies have secure transfer facilities for items which could be dangerous if accepted from any random party.

Re:HAHAHAHHA (1)

Culture20 (968837) | more than 5 years ago | (#27083723)

Some businesses require high degrees of personal computing freedom. Thankfully, this often translates into "you break it, you bought it", but I kind of feel like a doctor watching his patients go against sound medical advice.

Re:HAHAHAHHA (1)

Vancorps (746090) | more than 5 years ago | (#27083893)

Fair enough, some businesses don't have the technical staffing to deploy it either. It does effectively fight the problem though which is a shame since more companies don't do it.

Re:HAHAHAHHA (1)

Bert64 (520050) | more than 5 years ago | (#27089723)

Most companies do, it is common for companies to send ms binary formats over the internet, eg via email, and blocking them would disrupt things...

But i agree, it is stupid to receive such files from the outside.. Filtering should be set up to only allow known documented formats, and then parse these formats to validate them against the spec, possibly opening and resaving them in the process to strip out anything malicious (doing this breaks the jpeg exploits that floated around a couple of years ago for instance)...
Not foolproof, but will strip most things and make it much harder to get malicious code through.

Re:HAHAHAHHA (1)

hesaigo999ca (786966) | more than 5 years ago | (#27090457)

Problem is that an email infected with a virus coming from within your own companies firewall,
means someone's system was infected (using those stupid screensavers again?)
and now has propagated to excel files within the network , on the servers, or on local pcs.

You have no idea how many excel files get transfered within a company during the day that does not come from the outside, but could be infected.

First patch (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27082657)

This patch is dedicated to Dr. Gaius Baltar who could tell Microsoft a lot about zero day exploits.

summary of the summary (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27082667)

pee pee
poo poo
microsoft is a bad company

The problem with excel: being mission critical (5, Insightful)

Slumdog (1460213) | more than 5 years ago | (#27082669)

OK, you may disagree, but I've worked at banks and found that Excel use is widespread in mission critical applications, research, trading, and what not. Its like the swiss army knife for non-programmers engaged in decision making. They don't care about security issues (really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

The philosophy for these situations is, 'if its not broken, don't fix it'. As long as Excel remains usable for corporate clients, upgrades and bug fixes will trickle is a slow rate.

Re:The problem with excel: being mission critical (5, Insightful)

morgan_greywolf (835522) | more than 5 years ago | (#27083011)

Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

Re:The problem with excel: being mission critical (2, Interesting)

Slumdog (1460213) | more than 5 years ago | (#27083075)

Yeah. Decision makers at banks have proved themselves to really intelligent lately, huh?

did I say they were intelligent?

Re:The problem with excel: being mission critical (1)

mbooth9517 (896106) | more than 5 years ago | (#27084881)

Why do you think that people are unintelligent if they can't program?

And incidently, I think the decision makers at the banks have made some smart decisions from their perspectives haven't they? after all they are still coming away with millions [telegraph.co.uk] .

Re:The problem with excel: being mission critical (1)

morgan_greywolf (835522) | more than 5 years ago | (#27086511)

Why do you think that people are unintelligent if they can't program?

I don't. I think they're unintelligent if they lend money to people who can't pay it back and then package those loans up as commodities and sell them. I think that's pretty stupid, don't you?

Re:The problem with excel: being mission critical (1)

VENONA (902751) | more than 5 years ago | (#27086809)

Ummm, no. They were smart enough that they could basically package *dirt* and sell it.

The people that *bought* them were stupid. There were even Signs in the Heavens, in the form of the ratings services assigning the same ratings to some of these that they were giving to Treasury instruments. And there were *still* buyers, to the tune of untold trillions of dollars. Never underestimate the power of human greed.

What astounds me is that the people at Moodies and the other ratings orgs aren't facing charges yet. I've not even heard that they've had to testify to Congress. Though they well could have been, and I missed it.

Re:The problem with excel: being mission critical (1)

morgan_greywolf (835522) | more than 5 years ago | (#27090221)

Where there were stupid is their failure to realize that the economy is a bunch of interconnected parts. Screw others and you screw yourself.

Re:The problem with excel: being mission critical (2, Insightful)

mcgrew (92797) | more than 5 years ago | (#27092363)

Considering how powerful spreadsheets (not just Excel) have been for decades, why would anyone open a spreadsheet from an untrusted source? Maybe I should RTFA, but this seems dumb.

All of them I know of (am I out of date on this?) can open files, etc. Seems to ma a spreadsheet should do math and formatting -- and nothing else.

Ironically, at work I get spreadsheets all the time; I have to convert between Lotus, Excel, and Quattro. I usually send a PDF as well, and more irony here; isn't there an Adobe vuln too?

I use Star Office at home, but don't have the need for a spreadheet there. How does Star's spreadsheet fare?

Re:The problem with excel: being mission critical (1)

Em Emalb (452530) | more than 5 years ago | (#27083279)

(really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

Maybe that's the problem.

Re:The problem with excel: being mission critical (1)

Slumdog (1460213) | more than 5 years ago | (#27083899)

(really, they wouldn't know if there was a security issue in any app until Legal departments tell them)

Maybe that's the problem.

Now! thats what I call attention to detail! Have you thought, it could be the problem that caused other problems? Remember SocGen?

Re:The problem with excel: being mission critical (1)

Bert64 (520050) | more than 5 years ago | (#27089741)

Excel is known to get some complex calculations wrong (plenty of documentation on google for this)... If you are using it for financial accounting you are likely to be in violation of sarbanes-oxley requirements.

What's the big deal??? (2, Funny)

Anonymous Coward | more than 5 years ago | (#27082707)

So you receive a virus riddled Excel spreadsheet, open it, the virus infects your system, and what...your system runs as shitty as it always did, the uptime and stability go from crapsville to shitycity, the OS is still as sluggish as it's always been. I mean, hell, there's even a shot that the virus will make things a little better. At least maybe you'll get occassional porn popups from the system tray, and your IE home page will be redirected to an asian teen movie site. I'd say it's a net win.

quickly bash them... (-1, Flamebait)

timmarhy (659436) | more than 5 years ago | (#27082887)

/. has turned into some kind of crappy low rent rag that posts the same basic story 20 times a day. I should start a spoof of /. and post fake stories, people wouldn't even know the difference.

1. bash MS

2. spread apple rumors

3. praise linux

4. profit!

Re:quickly bash them... (1, Informative)

Anonymous Coward | more than 5 years ago | (#27082915)

Fair enough. On your way out don't let the door hit you where the lord split you.

Re:quickly bash them... (0)

Anonymous Coward | more than 5 years ago | (#27083003)

And yet you continue to not only read it but to take the time to comment.

Re:quickly bash them... (0)

Anonymous Coward | more than 5 years ago | (#27083083)

har har it's funny because it's like what you think Slashdot is like.

I've only seen the topic of this article maybe 4 times since it became an issue. Find a better example.

Re:quickly bash them... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27083121)

you all have been trolled good and proper. suckers.

Re:quickly bash them... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27083545)

and i had sex with ur mom u bitch

Re:quickly bash them... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27083407)

stfu u dumb cunt

Re:quickly bash them... (2, Interesting)

larry bagina (561269) | more than 5 years ago | (#27083571)

Too late [bbspot.com]

Re:quickly bash them... (1)

mcgrew (92797) | more than 5 years ago | (#27091239)

suck.com did one a few years ago called "suckdot", it was hilarious. Tux wearing a turban and wielding a scimitar was priceless! I wish I could find it.

There are two uncyclopedia articles about slashdot, there's slashdot.org [wikia.com] , a parody of slashdot, and slashdot (country) [wikia.com] .

From the parody (formatted to look like slashdot):

Jump to: navigation, search
Slashdot
News for nerds. Stuff that is unimportant and pulled from various web sites across the internets and really doesn't matter all that much.
Userpage | Preferences | Subscribe | Why should you pay us even more? | Are you sure you don't want to pay us? | Logout | Come on, just try subscribing!

Slashdot journal entries can be automagically submitted as stories! No, we aren't kidding! You could submit a story to us!!

The next Slashdot story will be ready soon, but guess what?! SUBSCRIBERS can beat the rush and pay us to see it early!!
You have not meta-moderated recently! Moderate our moderators, and then get moderated! Great fun, yes?
You have found the marble in the oatmeal. You get to take a drink from the Firehose! (I don't know what that means, I've just always wanted to put that phrase on top of the Slashdot front page. So here it is.)

You have 5 Moderation Points! Use 'em or lose 'em! But don't use them in threads you actually want to post in okay? And use them before 3 days is up, or else they will be gone. 3 days, 5 points, GO!

Ask Slashdot: Network problems and upgrades
Posted by Konk
from the it-doesnt-work-pause-NET! dept.
c1337us asks:

"I recently purchased an expensive network router for the small business firm where I am the head of the IT department. Unfortunately, I have no clue how to set it up, much less a basic understanding of networking principles. First of all, could someone explain to me what exactly a socket is and second, where can I find this alleged "ether"-net I hear so much about? Will that solve my problems?"

  itsatrap, network, router, slownewsday, loltag, whatcouldpossiblygowrong (tagging beta)<snip>

From slashdot (country)

"Netcraft confirms it - Slashdot *is* filled with Linux fanboys." ~ Bill Gates on Slashdot

"No good editors like Kuro5hin has, No nice layout like Digg.com, Lame !!!."~ CmdrTaco on Slashdot

"In Soviet Russia, slashdot trolls YUO!." ~ Russian Reversal on Slashdot

"On the streets these days, a dime bag of kittens costs a pretty penny." ~ Oscar Wilde on Slashdot's "offtopic" moderation

The Sovereign State of Slashdot is an americanized independent territory roughly located between the Republic of Pakistan and India. The citizens of this unincorporated area, commonly referred to as "dotheads" due to the mark of the beast prominently displayed upon their foreheads, have been denied membership in the UN due to their radical viewpoints since the war of 1912. As a result,Slashdot joined the UN's arch-enemy, NATO, following its invasion by Oprah Winfrey in the Gulf War. The current Prime Minister of Slashdot is CmdrTaco (pronounced KIM-dir-TAY-co).

<snip>Trolls
It is common knowledge that Slashdot is populated entirely by trolls, and no other form of life exists within its borders. The trolls constantly go around beating up other trolls through the use of arcane rituals such as '-1 Offtopic'. It seems that the Slashdottians do nothing except this constant abuse of each other (moderation in Slashdottese, although a more complicated version exists, called metamoderation, generally regarded to be one of the most evil products of our era).

[edit] Economy
The currency of Slashdot is the Karma Point (which recently replaced the archaic reputation point used under the barter system). In 2001, the Karma Point was cursed by an evil witch who got modded flamebait. Expert moneyologists agree that the curse is a serious matter... <snip>

But let's not forget... (0)

Anonymous Coward | more than 5 years ago | (#27082903)

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

Re:But let's not forget... (1)

morgan_greywolf (835522) | more than 5 years ago | (#27082977)

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

Well, they seem to beat the hell out of OpenOffice.org, anyway. There's a bug in Calc that's been there for like...years now. OTOH, it's not a security bug, at least. ;)

Re:But let's not forget... (1)

Bert64 (520050) | more than 5 years ago | (#27089773)

There are bugs in MS products that have been there for years too, some of them are even security related...

Word had a bug since 97 whereby the macro function for counting lines ignored lines with bullet points on them, but when you came to insert to a particular line it counted bullet points and so would put stuff in the wrong place... They fixed it in 2007 with a security hotfix for word 2003 (wtf was a fix like this doing in a security hotfix?), but 2007 remained broken (may have been fixed by now, but i've not been forced to use it since then.

There is the SMB bug that was publicised recently, supposedly fixed a couple of months ago but the original bug was reported in 2001... This one was security related too!

Re:But let's not forget... (0, Redundant)

lordtoran (1063300) | more than 5 years ago | (#27083751)

According to Microsoft , they have a better track-record at fixing bugs faster than Linux.

Do you notice something?

Re:But let's not forget... (0)

Anonymous Coward | more than 5 years ago | (#27085983)

Confirmation bias?

Re:But let's not forget... (4, Informative)

Gnavpot (708731) | more than 5 years ago | (#27083921)

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

I assume you were funny, but in case you were not:

Microsoft counts from the day they publicly confirm the existence of a bug.

Most others counts from the day the bug was publicly known.

So if Microsoft delay the confirmation of a publicly known bug, the numbers will work in their favour.

Re:But let's not forget... (0)

Anonymous Coward | more than 5 years ago | (#27086519)

[Citation Needed]

Re:But let's not forget... (0)

Anonymous Coward | more than 5 years ago | (#27085863)

Microshit strikes again.

Re:But let's not forget... (1)

JohnBailey (1092697) | more than 5 years ago | (#27086041)

According to Microsoft, they have a better track-record at fixing bugs faster than Linux.

Well they would do. they use a different track.

How does this affect us? (-1, Redundant)

BigBuckHunter (722855) | more than 5 years ago | (#27082957)

Do home users and corporations still use Excel or Microsoft products? If so, I have a patch for them, though it comes on a 690MB ISO.

BBH

Re:How does this affect us? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27083099)

If you don't even know that corporations still use it, why would I trust your advice? You're obviously stupid.

I love Linux and Open Source, but posts like this really piss me off.

Re:How does this affect us? (1)

Vancorps (746090) | more than 5 years ago | (#27083239)

As much as I don't like the idea of replacing Microsoft on the desktop with any Linux I gotta appreciate the name.

Big Buck Hunter Safari for the win! The original is too easy by comparison.

Re:How does this affect us? (1)

colinrichardday (768814) | more than 5 years ago | (#27087051)

What? Just a CD, not a DVD?

good for amerika (1)

Robert Halcombe (1319415) | more than 5 years ago | (#27083015)

My russian friends can make zero day exploits all day long. It's good for the economy. Keeps you silly american busy. I love amerika robert halcombe rhalcom@sovgrp.com

Put it into perspective... (2, Funny)

Anonymous Coward | more than 5 years ago | (#27083139)

I have an excel spreadsheet that shows the history of such an exploit. Please open the following...

Does this affect Open Office Calc & Apple Numb (1)

Neanderthal Ninny (1153369) | more than 5 years ago | (#27083171)

I wonder if any one has tested this exploit on Open Office Calc, Apple Numbers and other MS Office compatible applications?

Re:Does this affect Open Office Calc & Apple N (1, Informative)

Anonymous Coward | more than 5 years ago | (#27085229)

Won't work as-is, and I've never heard of an exploit being successfully 'ported' to OO or whatever. XLS is like the other "classic" office formats basically just a serialised object memory dump, which is why it's such a horrific mess and full of vulnerabilities. However the vulnerabilities always seem to be overwrites dependent on the exact memory structure that the office parser produces, rather than generalised "whoops we passed user input to an exec()" type ones.

Re:Does this affect Open Office Calc & Apple N (1)

Bert64 (520050) | more than 5 years ago | (#27089781)

Since OO is based on reverse engineering, it has a far more robust parser for the MS formats... Because they don't know what to expect, their parser is much better at handling unexpected data.. This is also why OO is often much better at opening damaged files.

No patch for... (1)

iFiLa (1217788) | more than 5 years ago | (#27083433)

Ha! Skimming through the subject lines, I thought this post read "No Patch For Adobe Zero-Day Flaw".

zero-day? (1)

Mr 44 (180750) | more than 5 years ago | (#27086265)

Can we stop using the term "zero-day"? It is supposed to refer to malware that is released the same day the exploit becomes public knowledge. At this point, the excel bug still may not be fixed, but its been a heck of a lot more than zero days since it was publicized...

Any info on *what* is the flaw? (0)

Anonymous Coward | more than 5 years ago | (#27086559)

I'm sorry but can someone tell me what the actual flaw in Excel is? The articles just talk about who found it, who is attacked, or not, but no concrete hint as to the nature of the problem.

In other words, what exactly is it the patch should change?

microsoft is a monopoly (1)

d_leiderman (948900) | more than 5 years ago | (#27090809)

This just proves that being a monopoly allows you to ignore your users.

Excel is a major tool in many corporates, and having such an exploit can make havoc.

no the least, this shows that making your own rules can help you claim whatever you want - time to fix / number of vulnerabilities, etc.

Design to last - blog on system engineering [design-to-last.com]

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...