ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Enterprise applications Toolkit

Excel hole opens PCs to hackers

Matt Loney ZDNet.co.uk

Published: 27 May 2002 16:01 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A security hole in Microsoft Excel XP spreadsheet application could allow hackers to take over a user's PC by using specially formed XML stylesheets.

According to security expert Georgi Guninski, the problem occurs when a user opens an Excel (.xls) spreadsheet file and chooses to view it with an XML stylesheet. If the XML stylesheet contains specially formed code, said Guninski in a security note on his Web site, the PC will try to run that code.

"As script kiddies know this may lead to taking full control over user's computer," said Guninski. "Excel does not give any warning to the user -- just asks whether to use the style sheet or not." However, Guninski added, by default Excel does not display spreadsheet files with the stylesheet.

On his site Guninski has posted a sample piece of code that would fool Excel XP into thinking that contains a link to a stylesheet but which in fact runs a command that lists directory contents on the user's PC.

To be safe, said Guninski, users should not use XML stylesheets. Guninski said that Microsoft was notified of the flaw on 23 May. Microsoft did not immediately respond to requests for comment.

The flaw is the latest in a slew of security alerts to hit Microsoft products. Last week the company warned Windows NT and 2000 users of a new flaw in its debugger tools that could let attackers give themselves complete control of a system once they've gained basic access to that system. A week before, Microsoft urged Windows users to download a fix for Internet Explorer after six new flaws were found in its Web browser. The software company called three of the flaws critical, but only one of them -- a cross-site scripting error that affects only Internet Explorer 6.0 -- would allow an attacker or a worm to run a program on the victim's computer.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
20 out of 64 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Enterprise applications


Company/Topic Alerts

Create a new alert from the list below:





Related Jobs

VBA,Excel Developer needed to join Front Office Trading Team in LDN

Exotics VBA, EXCEL, C++ Developer needed to join leading Brokerage House in London City. They are looking for a Senior VBA, EXCEL and C++ Developer ...

Applications Management Analyst-00053787

Essential: Visual Basic 6.0 skills .Net Skills SQL 2000 / 2005 skills Good written and spoken communications skills Ability to understand and capture ...

SAS Corporate Analyst - SAS - London up to 37k

SAS, SAS, SAS Base, SAS Macro, Risk, Underwriting, SPSS, Decision Support, scorecards, spreadsheet, statistical models, Excel, Analysis, Regression, ...

Featured Talkback

The internet is going to have do a lot of maturing before it is ready for this kind of traffic. Security is always going to be a problem, connectivity is poor, and most business's are unwilling for their employees to have open access.

By: ator1940

Read full story:
Microsoft prepares to take Office online