A new and potentially dangerous security flaw that could affect anyone using the internet was reported Jan. 5 by Finjan Software, a computer security company in San Jose, Calif. The security hole allows hackers to steal data from a web surfer’s computer if the victim’s computer is loaded with Microsoft’s Excel spreadsheet program, said Finjan chief executive Bill Lyons.

“We believe this could affect tens of millions of users as they’re configured today,” said Lyons. “An attacker could steal or copy innocent internet users’ private files without their knowledge.”

Here’s how the security flaw works, according to Finjan: A hacker sets up a web site with the corrupt code programmed into it. Then an unknowing computer user, who has Microsoft Excel installed but not necessarily running, visits the site. While the user is at the site, the hacker worms into the user’s Excel program and, through that, is able to pull files off their computer.

Normally, users would have to take steps like downloading an infected software program to be attacked. In this case, though, users could be hit simply by visiting a web site, Finjan said.

At press time, the problem was only theoretical. Neither Finjan nor Microsoft reported hearing of any actual attacks. But as John Stewart, a chief architect at Digital Island, pointed out, it would be simple enough to do. “This attack can be executed by almost anyone,” Stewart said.

Associated Press (AP) reporters who went to a designated Finjan world widy e web site on Jan. 5 experienced the rip-off firsthand, it was reported. After clicking on Finjan’s site and agreeing to be hacked, AP said, the security company was able to pull files out of the reporters’ computers.

At the Redmond, Wash.-based Microsoft, John Duncan, a product manager in Microsoft’s Office group, said the company already heard about and offered a solution to the problem last month, eMailing a security bulletin to nearly 1 million customers on Dec. 10 that offered a free, downloadable patch.

“We were notified by a third party, and we moved to fix it immediately,” he said. More importantly, Duncan said, they have had no customer complaints about the problem.

“There really is no newness to this,” he said. “There’s not a bug in the software.”

Microsoft’s security bulletin warned that an attacker could get in to the computer via an Excel function, though it did not mention specifically how the attack could be made using the internet.

“The bulletin provides customers with the information they need to decide whether or not they want to install the … patch,” said Duncan. “However, we want to avoid providing hackers with a blueprint for how they can exploit security issues [like] this.”

Avi Ruben, a researcher at AT&T Labs, said it’s the widespread ease that could make the hacking devastating. “It is the kind of attack that makes your jaw drop when you hear about it and makes you wonder if sensitive information should ever be kept on a networked computer,” he said.

Finjan said Microsoft’s free patch will solve the problem. Finjan also has offered a software solution of its own to customers.

Finjan Software Ltd.


Microsoft Security Bulletin MS98-018