Finjan Software Inc has put Microsoft Corp’s nose out of joint by drawing attention to a security hole in Microsoft Excel 95 and 97. Finjan says it has discovered an attack that directly exploits the hole. It calls the attack the Russian New Year Exploit, and describes it as extremely dangerous. Excel has a function called CALL, which allows spreadsheets to run certain kinds of executables, such as dynamic linked libraries (DLLs), without necessarily warning the user that it is doing so. By using HTML in conjunction with the CALL function, the Russian New Year Exploit could potentially expose internet users’ private files to copying or theft without their knowledge. Excel doesn’t have to be running for the exploit to work. It simply has to be installed on the PC. Microsoft says it recognized the flaw and posted a patch on December 9, 1998, and that Finjan’s announcement is nothing more than a restatement of the same issue. Microsoft also says it knows of no reports of customers being adversely affected by malicious hackers through this mechanism. Unfortunately the patch, which can only be installed on top of Office 97 Service Release 2, works by disabling the CALL function altogether. Customers who need the CALL function should evaluate the degree of risk that it poses to their systems, and determine whether the best course of action is to apply the patch or not, Microsoft rather unhelpfully concluded. That is to say, you can have the feature, or you can have a secure system, but you can’t have both.
