A new security flaw, which could potentially create serious
problems for users, has been discovered in Microsoft Office and
Internet Explorer.
An advisory notice by Cert, the security service run by Carnegie
Mellon University, has alerted users to a major security oversight
in Microsoft Office.
Cert said in the notice: "Microsoft Excel and PowerPoint may not
detect malformed macros, so a user can unknowingly run macros
containing malicious code when opening an Excel or PowerPoint
document."
Microsoft and anti-virus companies have tightened security in the
word-processor to minimise the risk of an attack following the
havoc caused by Melissa, the first widespread macro virus to target
Microsoft Word users in 1999.
The latest vulnerability focuses on Excel and PowerPoint, two
applications that have previously not been affected by macro
viruses.
Cert claimed that an intruder could trick a victim into opening a
document using a vulnerable version of Excel or PowerPoint, and
then take on the victim's permissions. This means that the intruder
could read, delete, or modify data; send mass e-mail worm attacks,
or modify the victim's security settings.
Users are being asked to exercise caution when opening attachments.
Richard Brain, technical director at network security firm
ProCheckUp, said that this latest vulnerability, combined with
another new security hole in Internet Explorer, could pose as
serious a threat as Nimda, the virus which wreaked havoc on the
Internet in September.
He said that the latest security issue in Internet Explorer
concerned Microsoft security zones, a technique used by system
administrators to control a user's level of security on the
Internet, intranet and trusted networks.
A Microsoft security bulletin alerted users to a potential security
flaw in this system, which allows a hacker to change the user's
security zone setting for Internet site to the same as the more
secure intranet settings.
Brain suggests that it would, in theory, be possible for a hacker
to combine an Excel/PowerPoint macro attack with an attempt to
change security settings in Internet Explorer.
The user would then be unprotected against another Internet-based
attack. "The one piece missing for another Nimda attack is a flaw
in the IIS Microsoft Web server," he concluded.