New Excel security vuln

Take care out there:

[Dodgy spreadsheets can crash your pc and/or compromise security]

This one is already being exploited (hence zero day), so watch what you are downloading. If some of the others are anything to go by, this is exploitable no matter your Excel macro security settings. A malformed string somewhere in the workbook does the damage, not any code. This type of attack is getting more popular.Virus definitions will probably not detect it yet, so don’t rely on a scan.

In a related area, I wanted to test security at a clients so I created a few different workbooks with auto open code in.

I stuck a link to them here (near the bottom) -(given the above don’t feel you have to try them!):

net result for the client- nil point, all ran without warning, meaning any potentially harmful VBA (or XLM) malware could have run too. The internal office support team weren’t interested, prefering to rely on virus scanning (see above for the dangers of this approach). Another vote for the Dale Carnegie course?

Anyone else seen a place that forces office macro security to low by policy?



10 Responses to “New Excel security vuln”

  1. Marcus Says:

    I tested all 3 workbooks (in a client’s environment) and was warned as expected – Excel’s security is set to medium. Given that this is a financial institution, which lives and breathes on spreadsheet models, they need to strike a balance between spreadsheet security and a frustrated user base.

    However like most warning messages, users have become desensitised to the macro security dialog and click past it. I’d guess that those at greatest risk are not corporates but smaller enterprises and home users who are less knowledgeable and security and the ramifications.

    As for the uninterested support team, it may not be your powers of persuasion that are lacking but their understanding of what these macros are capable of. Many IT dept personnel I’ve dealt with see Excel (and Access) as ‘Mickey Mouse’ and assume that the AV software will ‘pick it up’.

  2. Ken Puls Says:

    “Anyone else seen a place that forces office macro security to low by policy?”

    It was (is still) my policy to set Macro security off in 97, only because that was the only way to stop the prompting. (We have a LOT of workbooks with VBA in them.) I am aware of the risk, but I don’t think the message would stop my users if they encountered it anyway.

    With the release of 2000 and the selfcert.exe program for digital signatures, however, that’s not really necessary any more. I now sign my workbook solutions, and leave security set at medium. This enables my users to work without being bothered by the macros warning unless they open a workbook that:
    -I created but did not sign (still happens).
    -Is not from me and contains code.

    I’d like to think they’d call me in either case, but then I’m not an idiot either, and am aware that they most likely just click enable and get on with it.

  3. Anonymous Says:

    I can tell you for a fact that 2 of the big 4 accounting firms have macro security compulsorily set to low – crazy!

  4. Simon Herbert Says:

    As a default, all users have the security level set to high.

    Normally, I ask them to set this to medium, most of the code is written internally so it doesn’t normally cause an issue but users do tend to click Yes or Enable without thinking…

    I agree with Ken about selfcert.exe, this is a good way of ensuring that only trusted code can be run, however I have been complaining for over 2 years that digital signatures are a bit flaky in our environment.

    Sometimes they work, sometime they don’t. I don’t know why this is or what causes it, but I do know that it’s not just our code / signatures that suffers with this problem.

    We use the SAP BW Analyzer add-in and quite often this will not load correctly if opened from the start menu or a desktop shortcut. This means that you need to log into another program and launch it from there (which defeats the purpose of having a shortcut really!). This may not seem like a big deal, but you also need to exit Excel to force the add-in to load correctly which is a complete pain if you are working with large files.

  5. Simon Says:

    well thats reassuring
    This client is not the only one, and other devs are also concerned.

    I agree with Marcus on the desensitised issue, I am myself to an extent.

    I think selfcert is a good start, but would like to see more corps using a proper structured certifcate sever scheme. I have a thawte code signing certificate, and the warnings that produces scare people more than non signed code.

    Interesting point about the big 4 accountants, no suprise though, I’m not sure they value developer input very highly.

    I’ve not heard of certificates being flaky before, but I can totally believe it. I’ve seen all sorts of odd stuff at various clients over time.

    At this particular clients the security was enforced by a policy template (.adm files). The user could not change (ie increase) security, bit of a pain when trying to work with auto_open code, never mind the security risk.

  6. sam Says:

    Hi Simon,

    Setting the security level to high has no effect on the file, once you convert the file as an exe file. The VBA code will run no matter what the setting….

    Check out and searh for Excel to Exe in the whats new section….


  7. Simon Says:

    Hi Sam
    I’ve seen xl-to-exe before, its a neat idea. I’d be interested to know how it gets around the security warnings. One handy thing about COM add-ins is they don’t usually trigger.
    I’ll download it and have a play around.

  8. Bob Phillips Says:

    We had a discussion on the Usenet newsgroups recently, where Peter Nonely released his Function Dictionary as an exe using Orlando’s technique. The general consensus was that receiving an Excel workbook in this manner was scarier than exes (go figure, but that is what we felt).

    The thread can be found at, finally shut down by Aaron Kempff’s intervention.

  9. Simon Says:

    I agree with you Bob, I, and in fact many virus scanners prefer .xls to .exe.
    That Aaron bloke sounds nice (not!)

  10. Bob Phillips Says:

    We’re well used to him. Harlan Grove tries to reason with, total waste of time, even for someone as obstinate as Harlan.

    For sheer nastiness, look up some posts by KadaitchaMan, he’s a real case.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: