Even Excel is a bit insecure
Software security, or the lack of it, has received a lot of attention lately, including in this column. Security holes, usually found in browsers, are logical flaws in a program's design that allow smart programmers with nothing better to do to access your files, crash your PC, or upload a nasty program to your computer and run it. Microsoft recently admitted that both Excel 95 and 97 are vulnerable to these kinds of exploits, too. The problem, known as the Russian New Year Bug, concerns the program's Call function, which allows an Excel worksheet to run another external program. It sounds innocuous enough, until you consider that the external program could delete files, infect your system with a virus, or wreak other havoc. Unfortunately, Call doesn't warn you before running the external program. A disgruntled employee can simply create a nasty program, Call it in a worksheet's Autostart macro, and then attach the worksheet and the external program to an e-mail message. Microsoft says no one has exploited this loophole yet, but the company offers a 132KB patch (available at officeupdate.microsoft.com/downloadDetails/xl97cfp.htm) that disables the Call function in worksheets. The patch requires that you've already installed Office 97 Service Release 2. However, the patch does not disable Call when used in a macro (such as the Autostart macro). For more details, visit support.microsoft.com/support/kb/articles/q196/7/91.asp. - Scott Spanbauer |
Category:Bugs and fixes Issue: April 1999 |
These Web pages are produced by Australian PC World © 1999 IDG Communications