R
RagDyer
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539
http://blogs.zdnet.com/security/?p=814&tag=nl.e539
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
J
Jim Cone
RD,
Thanks, I guess <g> - I have decided to downgrade to Excel 5.
Now if I can just find my discs...
Jim Cone
San Francisco
in message
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539
Thanks, I guess <g> - I have decided to downgrade to Excel 5.
Now if I can just find my discs...
Jim Cone
San Francisco
in message
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539
R
RobN
Wow. Just when I was thinking of dumping 2007.....finally..... a tick.
Rob
Rob
J
joeu2004
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539
For those of us who have Office Excel 2003, it seems like the
"obvious" workaround is to install SP3.
Does anyone know of a reason not to?
Does anyone know what feature(s) might no longer work or work
differently as a result of whatever change in SP3 that insulates the
user from the vulnerability?
Having been on the system development side of such security, I
appreciate the security sensitivity, ergo the limited information
about the vulnerability. But I'm just wondering if any Excel expert
can add to what the blog says.
T
T. Valko
But I'm just wondering if any Excel expert
I'm FAR from an expert but here's what I noticed that the article *didn't*
say:
It's not a malicious macro coded threat. In other words, disabling macros
won't stop it.
--
Biff
Microsoft Excel MVP
For those of us who have Office Excel 2003, it seems like the
"obvious" workaround is to install SP3.
Does anyone know of a reason not to?
Does anyone know what feature(s) might no longer work or work
differently as a result of whatever change in SP3 that insulates the
user from the vulnerability?
Having been on the system development side of such security, I
appreciate the security sensitivity, ergo the limited information
about the vulnerability. But I'm just wondering if any Excel expert
can add to what the blog says.
can add to what the blog says.
I'm FAR from an expert but here's what I noticed that the article *didn't*
say:
It's not a malicious macro coded threat. In other words, disabling macros
won't stop it.
--
Biff
Microsoft Excel MVP
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539
For those of us who have Office Excel 2003, it seems like the
"obvious" workaround is to install SP3.
Does anyone know of a reason not to?
Does anyone know what feature(s) might no longer work or work
differently as a result of whatever change in SP3 that insulates the
user from the vulnerability?
Having been on the system development side of such security, I
appreciate the security sensitivity, ergo the limited information
about the vulnerability. But I'm just wondering if any Excel expert
can add to what the blog says.
J
Jim Cone
From eweek - Jan 04, 2008...
" Responding to complaints from Corel, Microsoft says users will
soon be able to unblock and reblock files. Microsoft will provide
a new and easy way for customers to unblock the files that were
shut off by default when they installed Office 2003 Service Pack 3." ...
http://www.eweek.com/c/a/Windows/Microsoft-Backs-Down-over-Office-2003-SP3-File-Blocking/
Jim Cone
San Francisco
"joeu2004"
wrote in message
For those of us who have Office Excel 2003, it seems like the
"obvious" workaround is to install SP3.
Does anyone know of a reason not to?
Does anyone know what feature(s) might no longer work or work
differently as a result of whatever change in SP3 that insulates the
user from the vulnerability?
Having been on the system development side of such security, I
appreciate the security sensitivity, ergo the limited information
about the vulnerability. But I'm just wondering if any Excel expert
can add to what the blog says.
" Responding to complaints from Corel, Microsoft says users will
soon be able to unblock and reblock files. Microsoft will provide
a new and easy way for customers to unblock the files that were
shut off by default when they installed Office 2003 Service Pack 3." ...
http://www.eweek.com/c/a/Windows/Microsoft-Backs-Down-over-Office-2003-SP3-File-Blocking/
Jim Cone
San Francisco
"joeu2004"
wrote in message
For those of us who have Office Excel 2003, it seems like the
"obvious" workaround is to install SP3.
Does anyone know of a reason not to?
Does anyone know what feature(s) might no longer work or work
differently as a result of whatever change in SP3 that insulates the
user from the vulnerability?
Having been on the system development side of such security, I
appreciate the security sensitivity, ergo the limited information
about the vulnerability. But I'm just wondering if any Excel expert
can add to what the blog says.
J
joeu2004
From eweek - Jan 04, 2008...
" Responding to complaints from Corel, Microsoft says users will
soon be able to unblock and reblock files. Microsoft will provide
a new and easy way for customers to unblock the files that were
shut off by default when they installed Office 2003 Service Pack 3."
Oh yes, I remember that <sigh>. Thanks for the reminder.
H
Harlan Grove
....T. Valko said:I'm FAR from an expert but here's what I noticed that the article
*didn't* say:
It's not a malicious macro coded threat. In other words, disabling
macros won't stop it.
The MSFT security advisory also didn't mention the precise file
formats that could carry such payload that the affected versions of
Excel (and the Excel 2003 VIEWER, fer cryin'g out loud!) mishandle.
Recall the penitent words of a few senoir MSFT people just after the
SP3 blockade was publicised: it's not the file formats themselves that
are dangerous, it's the software that loads those files that would
cause problems.
If MSFT hasn't been able to figure out how to make Excel load binary
spreadsheet files safely through Excel 2003, what are the odds they
finally figured out how to do so with the .XLSB file format in Excel
2007? Conversely, will Excel 2007 SP-1 block .XLSB files? Just
wondering.
S
Stan Brown
Wed, 16 Jan 2008 14:44:58 -0800 from Jim Cone
And which formats are those? The article doesn't say, and neither do
the articles that it links to.
From eweek - Jan 04, 2008...
" Responding to complaints from Corel, Microsoft says users will
soon be able to unblock and reblock files. Microsoft will provide
a new and easy way for customers to unblock the files that were
shut off by default when they installed Office 2003 Service Pack 3." ...
http://www.eweek.com/c/a/Windows/Microsoft-Backs-Down-over-Office-2003-SP3-File-Blocking/
And which formats are those? The article doesn't say, and neither do
the articles that it links to.
B
Bob I
Stan said:Wed, 16 Jan 2008 14:44:58 -0800 from Jim Cone
And which formats are those? The article doesn't say, and neither do
the articles that it links to.
Information about certain file types that are blocked after you install
Office 2003 Service Pack 3
http://support.microsoft.com/kb/938810/en-us
H
Harlan Grove
Bob I said:Stan Brown wrote: ....
Information about certain file types that are blocked after you
install Office 2003 Service Pack 3
http://support.microsoft.com/kb/938810/en-us
Not necessarily the same thing. SP3 mostly blocks file types for older
competitors' products (Lotus 123 and Quattro Pro). It also
blocks .DIF, .SLK and .XLC, and only the latter two could be called
Excel file types. SP3 doesn't block any .XLS file types.
This latest security advisory doesn't mention whether the danger (in
Excel's own code) arises from loading files in these less used formats
or from .XLS files. However, since Microsoft's recommended fix (and a
very self-serving fix it is!) is to convert files to the new OOXML
file formats, and since one of their recommended means to do so
involves using a new product called MOICE, details for which may be
found in http://support.microsoft.com/kb/935865, and MOICE doesn't
even handle the file types blocked by SP3 - quoted from the linked KB
article,
MOICE currently supports the following document formats:
* .doc
* .ppt
* .pot
* .pps
* .xls
* .xlt
* .xla
That sure makes it appear that the new vulnerability is in Excel's own
file types, so SP3 would seem to be irrelevant to this new issue
except insofar as Microsoft being happy enough to block file types
that coincidentally happen to be the same ones they no longer support
in Excel 2007. Then again, maybe the new vulnerability is in the file
types blocked by SP3, but Microsoft is using this as just another way
to push users into using OOXML file formats and spurring faster
upgrading to Office 2007. The only thing that's clear is the lack of
full disclosure is classic Microsoft.
Tangential: odd that .dot files aren't included.
H
Harlan Grove
....Harlan Grove said:That sure makes it appear that the new vulnerability is in Excel's
own file types, so SP3 would seem to be irrelevant to this new issue
Or maybe not. The security advisory does state that Excel 2003 SP3 is
safe. However, that would also mean there's no benefit to convert .XLS
files to OOXML files if you're using Excel 2003 SP3, and since MOICE
doesn't handle the file types blocked by Excel 2003 SP3 it's difficult
to see how using MOICE could resolve this vulnerability *IF* we were
to take Microsoft's statements at face value.
So, if the vulnerability arises from loading the file types blocked by
Excel 2003 SP3, MOICE won't fix the issue. But if the vulnerability is
in .XLS files, how can Microsoft claims Excel 2003 SP3 is safe?
S
Stan Brown
Information about certain file types that are blocked after you install
Office 2003 Service Pack 3
http://support.microsoft.com/kb/938810/en-us
Thanks!
I'm bemused to note that it categorizes .dbf as dBASE II files. My
..dbf were created in dBASE IV.
B
Bob I
Stan said:Thanks!
I'm bemused to note that it categorizes .dbf as dBASE II files. My
.dbf were created in dBASE IV.
Welcome, I suspect the extention is what is checked, not something in
the file header.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.