Tuesday, January 29, 2008

Excel Flaw Highlights Need for Better App Security

Experts believe the rising number of exploits targeting Excel gives hackers incentive to continually exploit applications -- rather than operating systems -- for flaws.

Article by Jabulani Leffall
Don Leatham of Lumension Security has a first-step remedy to the ongoing security concerns around Microsoft's Excel application. "IT guys should tell end users right off the bat that if they see an unrecognizable Excel document in their inbox, they should treat it like porn -- it's not something you should be opening up at work." Extreme measures aside, because Excel is one of the most commonly used software applications of the planet, it's also increasingly the most common and frequent target for client-side attacks, security experts say.

In the last 18 months alone there were more than 33 documented vulnerabilities that pertained specifically to the popular spreadsheet program, a number Microsoft would neither confirm nor deny. While this seems like a large number -- an average of almost two every month for that duration -- these are just the documented cases. This prompts IT security mavens to assert that securing Excel -- even above Internet Explorer -- should be Job No. 1 where Windows programs are concerned.

"Out of all the applications sitting on networks and desktops around the globe, Excel lends itself to be the most natural attack target because of its ubiquity in the corporate world," said Leatham, director of solutions strategy for Lumension, which is based in Scottsdale, Ariz. "This is definitely the one program IT pros are really pulling their hair out over because more often than not, Excel documents carry sensitive information such as financial data and the like." In mid-January, Microsoft's security group said there were continual attacks exploiting a flaw in most versions of the popular spreadsheet program.