 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussionsAccessExcelInfoPathOutlookPowerPointPublisherWordDirectoryUser Groups Related Topics Outlook ExpressInternet ExplorerWindowsMS Server ProductsMore Topics ... |
MS Office Forum / Excel / New Users / January 2008FYI - Microsoft Acknowledges XL Flaw
Came across this ZDnet article which might interest some of you: http://blogs.zdnet.com/security/?p=814&tag=nl.e539  SignatureRegards, RD --------------------------------------------------------------------------- Please keep all correspondence within the NewsGroup, so all may benefit ! --------------------------------------------------------------------------- RD, Thanks, I guess <g> - I have decided to downgrade to Excel 5. Now if I can just find my discs... Jim Cone San Francisco "RagDyer" wrote in message Came across this ZDnet article which might interest some of you: http://blogs.zdnet.com/security/?p=814&tag=nl.e539 SignatureRegards, RD --------------------------------------------------------------------------- Please keep all correspondence within the NewsGroup, so all may benefit ! --------------------------------------------------------------------------- Wow. Just when I was thinking of dumping 2007.....finally..... a tick. Rob > RD, > Thanks, I guess <g> - I have decided to downgrade to Excel 5. [quoted text clipped - 5 lines] > Came across this ZDnet article which might interest some of you: > http://blogs.zdnet.com/security/?p=814&tag=nl.e539 > Came across this ZDnet article which might interest some of you: > http://blogs.zdnet.com/security/?p=814&tag=nl.e539 For those of us who have Office Excel 2003, it seems like the "obvious" workaround is to install SP3. Does anyone know of a reason not to? Does anyone know what feature(s) might no longer work or work differently as a result of whatever change in SP3 that insulates the user from the vulnerability? Having been on the system development side of such security, I appreciate the security sensitivity, ergo the limited information about the vulnerability. But I'm just wondering if any Excel expert can add to what the blog says. >But I'm just wondering if any Excel expert >can add to what the blog says. I'm FAR from an expert but here's what I noticed that the article *didn't* say: It's not a malicious macro coded threat. In other words, disabling macros won't stop it. SignatureBiff Microsoft Excel MVP On Jan 16, 12:21 pm, "RagDyer" <ragd...@cutoutmsn.com> wrote: > Came across this ZDnet article which might interest some of you: > http://blogs.zdnet.com/security/?p=814&tag=nl.e539 For those of us who have Office Excel 2003, it seems like the "obvious" workaround is to install SP3. Does anyone know of a reason not to? Does anyone know what feature(s) might no longer work or work differently as a result of whatever change in SP3 that insulates the user from the vulnerability? Having been on the system development side of such security, I appreciate the security sensitivity, ergo the limited information about the vulnerability. But I'm just wondering if any Excel expert can add to what the blog says. "T. Valko" <biffinp...@comcast.net> wrote... >>But I'm just wondering if any Excel expert >>can add to what the blog says. [quoted text clipped - 4 lines] >It's not a malicious macro coded threat. In other words, disabling >macros won't stop it. ... The MSFT security advisory also didn't mention the precise file formats that could carry such payload that the affected versions of Excel (and the Excel 2003 VIEWER, fer cryin'g out loud!) mishandle. Recall the penitent words of a few senoir MSFT people just after the SP3 blockade was publicised: it's not the file formats themselves that are dangerous, it's the software that loads those files that would cause problems. If MSFT hasn't been able to figure out how to make Excel load binary spreadsheet files safely through Excel 2003, what are the odds they finally figured out how to do so with the .XLSB file format in Excel 2007? Conversely, will Excel 2007 SP-1 block .XLSB files? Just wondering. From eweek - Jan 04, 2008... " Responding to complaints from Corel, Microsoft says users will soon be able to unblock and reblock files. Microsoft will provide a new and easy way for customers to unblock the files that were shut off by default when they installed Office 2003 Service Pack 3." ... http://www.eweek.com/c/a/Windows/Microsoft-Backs-Down-over-Office-2003-SP3-File- Blocking/ Jim Cone San Francisco "joeu2004" wrote in message For those of us who have Office Excel 2003, it seems like the "obvious" workaround is to install SP3. Does anyone know of a reason not to? Does anyone know what feature(s) might no longer work or work differently as a result of whatever change in SP3 that insulates the user from the vulnerability? Having been on the system development side of such security, I appreciate the security sensitivity, ergo the limited information about the vulnerability. But I'm just wondering if any Excel expert can add to what the blog says. > From eweek - Jan 04, 2008... > " Responding to complaints from Corel, Microsoft says users will > soon be able to unblock and reblock files. Microsoft will provide > a new and easy way for customers to unblock the files that were > shut off by default when they installed Office 2003 Service Pack 3." Oh yes, I remember that <sigh>. Thanks for the reminder. Wed, 16 Jan 2008 14:44:58 -0800 from Jim Cone <jim.coneXXX@rcn.comXXX>: > > From eweek - Jan 04, 2008... [quoted text clipped - 3 lines] > shut off by default when they installed Office 2003 Service Pack 3." ... > http://www.eweek.com/c/a/Windows/Microsoft-Backs-Down-over-Office-2003-SP3-File- Blocking/ And which formats are those? The article doesn't say, and neither do the articles that it links to. SignatureStan Brown, Oak Road Systems, Tompkins County, New York, USA http://OakRoadSystems.com/ "If there's one thing I know, it's men. I ought to: it's been my life work." -- Marie Dressler, in /Dinner at Eight/ > Wed, 16 Jan 2008 14:44:58 -0800 from Jim Cone > <jim.coneXXX@rcn.comXXX>: [quoted text clipped - 9 lines] > And which formats are those? The article doesn't say, and neither do > the articles that it links to. Information about certain file types that are blocked after you install Office 2003 Service Pack 3 http://support.microsoft.com/kb/938810/en-us Bob I <bire...@yahoo.com> wrote... ... >>And which formats are those? The article doesn't say, and neither >>do the articles that it links to. > >Information about certain file types that are blocked after you >install Office 2003 Service Pack 3 >http://support.microsoft.com/kb/938810/en-us Not necessarily the same thing. SP3 mostly blocks file types for older competitors' products (Lotus 123 and Quattro Pro). It also blocks .DIF, .SLK and .XLC, and only the latter two could be called Excel file types. SP3 doesn't block any .XLS file types. This latest security advisory doesn't mention whether the danger (in Excel's own code) arises from loading files in these less used formats or from .XLS files. However, since Microsoft's recommended fix (and a very self-serving fix it is!) is to convert files to the new OOXML file formats, and since one of their recommended means to do so involves using a new product called MOICE, details for which may be found in http://support.microsoft.com/kb/935865, and MOICE doesn't even handle the file types blocked by SP3 - quoted from the linked KB article, MOICE currently supports the following document formats: * .doc * .ppt * .pot * .pps * .xls * .xlt * .xla That sure makes it appear that the new vulnerability is in Excel's own file types, so SP3 would seem to be irrelevant to this new issue except insofar as Microsoft being happy enough to block file types that coincidentally happen to be the same ones they no longer support in Excel 2007. Then again, maybe the new vulnerability is in the file types blocked by SP3, but Microsoft is using this as just another way to push users into using OOXML file formats and spurring faster upgrading to Office 2007. The only thing that's clear is the lack of full disclosure is classic Microsoft. Tangential: odd that .dot files aren't included. Harlan Grove <hrln...@gmail.com> wrote... ... >That sure makes it appear that the new vulnerability is in Excel's >own file types, so SP3 would seem to be irrelevant to this new issue ... Or maybe not. The security advisory does state that Excel 2003 SP3 is safe. However, that would also mean there's no benefit to convert .XLS files to OOXML files if you're using Excel 2003 SP3, and since MOICE doesn't handle the file types blocked by Excel 2003 SP3 it's difficult to see how using MOICE could resolve this vulnerability *IF* we were to take Microsoft's statements at face value. So, if the vulnerability arises from loading the file types blocked by Excel 2003 SP3, MOICE won't fix the issue. But if the vulnerability is in .XLS files, how can Microsoft claims Excel 2003 SP3 is safe? Thu, 17 Jan 2008 08:42:20 -0600 from Bob I <birelan@yahoo.com>: > > And which formats are those? The article doesn't say, and neither do > > the articles that it links to. > > Information about certain file types that are blocked after you install > Office 2003 Service Pack 3 > http://support.microsoft.com/kb/938810/en-us Thanks! I'm bemused to note that it categorizes .dbf as dBASE II files. My .dbf were created in dBASE IV. SignatureStan Brown, Oak Road Systems, Tompkins County, New York, USA http://OakRoadSystems.com/ "If there's one thing I know, it's men. I ought to: it's been my life work." -- Marie Dressler, in /Dinner at Eight/ > Thu, 17 Jan 2008 08:42:20 -0600 from Bob I <birelan@yahoo.com>: > [quoted text clipped - 9 lines] > I'm bemused to note that it categorizes .dbf as dBASE II files. My > .dbf were created in dBASE IV. Welcome, I suspect the extention is what is checked, not something in the file header. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.