PDA

View Full Version : Excel vulnerability puts Macs to risk


MacBytes
Feb 25, 2009, 04:22 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: News and Press Releases
Link: Excel vulnerability puts Macs to risk (http://www.macbytes.com/link.php?sid=20090225172233)
Description:: Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. This vulnerability targets users of Microsoft Office 2004 for Mac and Microsoft Office 2008 for Mac.

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

Trip.Tucker
Feb 25, 2009, 04:31 PM
Yeah right. I'm skeptical.

NT1440
Feb 25, 2009, 04:35 PM
Yeah right. I'm skeptical.

Why? It says its a vunerability for all of excel, not just mac.

nigrunze
Feb 25, 2009, 05:06 PM
Expect Microsoft to take about 10 times longer to patch the Mac versions than to patch the Windows versions.

mik34
Feb 25, 2009, 05:09 PM
Expect Microsoft to take about 10 times longer to patch the Mac versions than to patch the Windows versions.

Yup

irmongoose
Feb 25, 2009, 05:25 PM
Reminds me of the old "macro virus" days... I seriously hope we don't have to go through that again. *shudder*



irmongoose

alexbates
Feb 25, 2009, 06:35 PM
That's why people should switch to iWork if they are on a Mac...

MisterMe
Feb 25, 2009, 07:36 PM
Why? It says its a vunerability for all of excel, not just mac.That's just it. The claim is all over the lot:

Excel 2000 [for Windows] is vulnerable.
Excel 2004 [for Mac] is vulnerable.
Excel 2008 [for Mac] is vulnerable.
There is some conceivable scenario by which an attack can be staged via the Web.
Here is the thing: Excel 2004 and Excel 2008 do not share the same code base. What is more, the usual vector for Excel-based attacks is through its macro facility. Well, Excel 2008 does not have this facility--much to consternation of Excel:mac users. Excel 2007 has the macro facility, but it is not mentioned.

Despite the fact that Excel 2000 is vulnerable, none of the other versions of Excel:win that share its code base or native format are mentioned. The headline is exclusively about the Mac. The text of the report is mostly about the Mac. This report was posted by an anonymous author on a security website that none of us ever heard of before. Forgive me for being a deep color of skeptical.

MisterMe
Feb 26, 2009, 08:59 AM
I don't like tandem posts, but this is important. The OP from MacBytes is a repost from Help Net Security (http://www.net-security.org/secworld.php?id=7084), a site claiming to be devoted to security issues. That post is based on Microsoft Security Advisory (968272) (http://www.microsoft.com/technet/security/advisory/968272.mspx).

Nowhere in Microsoft's Advisory does it mention the Mac or any Mac-version of Excel. The only version of the spreadsheet explicitly referenced in Excel 2000. All of the references to Mac versions of Excel were added by the anonymous poster on Help Net Security.

rfruth
Feb 26, 2009, 10:02 AM
so what are U saying ME, that Excell 4 Mac = okay, is the media just having a slow news day ?

http://www.macworld.com/article/139017/2009/02/excel.html

PeterQC
Feb 26, 2009, 10:15 AM
So, in short you would have to download an infected excel file, and open it.

But then again, who download excel files from Internet from suspicious websites?

Call me back when a real threatening vulnerability happen.

lftrghtparadigm
Feb 26, 2009, 10:22 AM
Yeah right. I'm skeptical.

:confused: great attitude.

EmperorDarius
Feb 26, 2009, 11:12 AM
I use iWork mwhahhaha LOL :D

MisterMe
Feb 26, 2009, 12:32 PM
so what are U saying ME, that Excell 4 Mac = okay, is the media just having a slow news day ?

http://www.macworld.com/article/139017/2009/02/excel.htmlWhat I am saying is that Microsoft does not say that Excel:mac is not OK. Jim Dalrymple in the MacWorld.com piece claims that Microsoft said "... Microsoft noted that Office 2004 and 2008 for Mac were both affect by the vulnerability." Well, again, Microsoft did not say that. You can read it (http://www.microsoft.com/technet/security/advisory/968272.mspx) for yourself.

There is a herd mentality that pervades Internet journalism. One site posts something. Then every other site picks it up and reposts it or posts it as original without checking the underlying facts.

irmongoose
Feb 26, 2009, 12:46 PM
What are you on?? In the same article (http://www.microsoft.com/technet/security/advisory/968272.mspx) you referenced, under "Overview" there is a list of "Affected Software", and it clearly says "Microsoft Office 2004 for Mac", "Microsoft Office 2008 for Mac", and "Open XML File Format Converter for Mac"!


irmongoose

MisterMe
Feb 26, 2009, 11:22 PM
What are you on?? ...My bad.