Recently, just as Microsoft delivered one of its largest ever batches of security patches – including one for a critical hole in Word – hackers found three, as yet unpatched, holes involving Excel.
This article appears in the November 06 issue of PC Advisor, onsale now in all good newsagents.
Two of the bugs permit attacks when you open a doctored Excel spreadsheet stored on a website or sent as an email attachment. The first is related to the way Excel handles memory and could enable an attacker to take control of your PC. It hits Excel versions 2000 to 2003.
According to Microsoft, the second problem, which can arise if you click a poisoned link in a spreadsheet, is caused by a deeper bug in the part of Windows that handles hyperlinking. A third flaw involves an attacker’s use of an Office feature to embed a doctored Flash movie.
Microsoft says fully patched Windows PCs incorporate a ‘kill bit’ designed to protect against malicious add-ins of the third variety, but at least one attack has exploited the Excel bug. And proof-of-concept code, on which real-world attacks are based, is available for the second, hyperlinking vulnerability. Treat unexpected email attachments with caution, even if they appear to come from someone you know.
Head here to get fixes for your PC via Windows Update.
Other critical holes closed
One of Microsoft’s recent group of 21 patches closed a Word hole from May that was the target of a zero-day attack, plus a host of other problems, including eight critical vulnerabilities. Any of the eight could allow remote code execution – shorthand for letting an attacker exercise free reign over your PC. Windows Media Player, PowerPoint, Internet Explorer and other applications all got patched.
Microsoft distributed the patches via Windows Update. Run it manually from the Start menu if you’ve disabled Automatic Updates, or find direct download links and more information on the patches here.