Tech Shout!

As reported on June 16 at Techshout, Microsoft Excel was hit by a new vulnerability, which is sent via e-mail and gives an attacker the same rights as a user. Now as Microsoft tries to fix this security flaw, security researches have discovered yet another flaw in Microsoft Excel. Symantec had disclosed this flaw on Monday, June 19 saying that this vulnerability could cause Excel to crash after a malicious file was opened.

A code execution and sytem takeover risk is also possible, although this hasn’t been confirmed by Symantec as yet. Security firm Secunia disagreed to the above statement saying that successful exploitation would allow the execution of arbitrary code.

“The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents,” Secunia wrote in its advisory. “This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document.”

This second vulnerability affects Excel 2000, 2002, 2003 as well as the Excel Viewer. The fully patched version of Excel 2003 SP2 also includes the flaw, Secunia says.

As a precaution both firms, Secunia and Symantec suggested refraining from opening untrusted Office documents. However, Microsoft had no immediate comment on this latest issue.