Came across this ZDnet article which might interest some of you:

http://blogs.zdnet.com/security/?p=814&tag=nl.e539


--
Regards,

RD

---------------------------------------------------------------------------
Please keep all correspondence within the NewsGroup, so all may benefit !
---------------------------------------------------------------------------

RD,
Thanks, I guess <g - I have decided to downgrade to Excel 5.
Now if I can just find my discs...
Jim Cone
San Francisco


"RagDyer" wrote in message
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539
--
Regards,
RD
---------------------------------------------------------------------------
Please keep all correspondence within the NewsGroup, so all may benefit !
---------------------------------------------------------------------------

Wow. Just when I was thinking of dumping 2007.....finally..... a tick.

Rob

"Jim Cone" wrote in message
...

RD,
Thanks, I guess <g - I have decided to downgrade to Excel 5.
Now if I can just find my discs...
Jim Cone
San Francisco


"RagDyer" wrote in message
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539
--
Regards,
RD
---------------------------------------------------------------------------
Please keep all correspondence within the NewsGroup, so all may benefit !
---------------------------------------------------------------------------

On Jan 16, 12:21*pm, "RagDyer" wrote:
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539

For those of us who have Office Excel 2003, it seems like the
"obvious" workaround is to install SP3.

Does anyone know of a reason not to?

Does anyone know what feature(s) might no longer work or work
differently as a result of whatever change in SP3 that insulates the
user from the vulnerability?

Having been on the system development side of such security, I
appreciate the security sensitivity, ergo the limited information
about the vulnerability. But I'm just wondering if any Excel expert
can add to what the blog says.

But I'm just wondering if any Excel expert
can add to what the blog says.

I'm FAR from an expert but here's what I noticed that the article *didn't*
say:

It's not a malicious macro coded threat. In other words, disabling macros
won't stop it.

--
Biff
Microsoft Excel MVP


"joeu2004" wrote in message
...
On Jan 16, 12:21 pm, "RagDyer" wrote:
Came across this ZDnet article which might interest some of you:
http://blogs.zdnet.com/security/?p=814&tag=nl.e539

For those of us who have Office Excel 2003, it seems like the
"obvious" workaround is to install SP3.

Does anyone know of a reason not to?

Does anyone know what feature(s) might no longer work or work
differently as a result of whatever change in SP3 that insulates the
user from the vulnerability?

Having been on the system development side of such security, I
appreciate the security sensitivity, ergo the limited information
about the vulnerability. But I'm just wondering if any Excel expert
can add to what the blog says.

From eweek - Jan 04, 2008...
" Responding to complaints from Corel, Microsoft says users will
soon be able to unblock and reblock files. Microsoft will provide
a new and easy way for customers to unblock the files that were
shut off by default when they installed Office 2003 Service Pack 3." ...
http://www.eweek.com/c/a/Windows/Mic...File-Blocking/
Jim Cone
San Francisco




"joeu2004"
wrote in message
For those of us who have Office Excel 2003, it seems like the
"obvious" workaround is to install SP3.

Does anyone know of a reason not to?

Does anyone know what feature(s) might no longer work or work
differently as a result of whatever change in SP3 that insulates the
user from the vulnerability?
Having been on the system development side of such security, I
appreciate the security sensitivity, ergo the limited information
about the vulnerability. But I'm just wondering if any Excel expert
can add to what the blog says.

On Jan 16, 2:44*pm, "Jim Cone" wrote:
From eweek - Jan 04, 2008...
" Responding to complaints from Corel, Microsoft says users will
soon be able to unblock and reblock files. *Microsoft will provide
a new and easy way for customers to unblock the files that were
shut off by default when they installed Office 2003 Service Pack 3."

Oh yes, I remember that <sigh. Thanks for the reminder.

"T. Valko" wrote...
But I'm just wondering if any Excel expert
can add to what the blog says.

I'm FAR from an expert but here's what I noticed that the article
*didn't* say:

It's not a malicious macro coded threat. In other words, disabling
macros won't stop it.
....

The MSFT security advisory also didn't mention the precise file
formats that could carry such payload that the affected versions of
Excel (and the Excel 2003 VIEWER, fer cryin'g out loud!) mishandle.
Recall the penitent words of a few senoir MSFT people just after the
SP3 blockade was publicised: it's not the file formats themselves that
are dangerous, it's the software that loads those files that would
cause problems.

If MSFT hasn't been able to figure out how to make Excel load binary
spreadsheet files safely through Excel 2003, what are the odds they
finally figured out how to do so with the .XLSB file format in Excel
2007? Conversely, will Excel 2007 SP-1 block .XLSB files? Just
wondering.

Wed, 16 Jan 2008 14:44:58 -0800 from Jim Cone
:

From eweek - Jan 04, 2008...
" Responding to complaints from Corel, Microsoft says users will
soon be able to unblock and reblock files. Microsoft will provide
a new and easy way for customers to unblock the files that were
shut off by default when they installed Office 2003 Service Pack 3." ...
http://www.eweek.com/c/a/Windows/Mic...File-Blocking/

And which formats are those? The article doesn't say, and neither do
the articles that it links to.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/
"If there's one thing I know, it's men. I ought to: it's
been my life work." -- Marie Dressler, in /Dinner at Eight/

Stan Brown wrote:

Wed, 16 Jan 2008 14:44:58 -0800 from Jim Cone
:


From eweek - Jan 04, 2008...
" Responding to complaints from Corel, Microsoft says users will
soon be able to unblock and reblock files. Microsoft will provide
a new and easy way for customers to unblock the files that were
shut off by default when they installed Office 2003 Service Pack 3." ...
http://www.eweek.com/c/a/Windows/Mic...File-Blocking/


And which formats are those? The article doesn't say, and neither do
the articles that it links to.


Information about certain file types that are blocked after you install
Office 2003 Service Pack 3
http://support.microsoft.com/kb/938810/en-us

Bob I wrote...
Stan Brown wrote:
....
And which formats are those? The article doesn't say, and neither
do the articles that it links to.

Information about certain file types that are blocked after you
install Office 2003 Service Pack 3
http://support.microsoft.com/kb/938810/en-us

Not necessarily the same thing. SP3 mostly blocks file types for older
competitors' products (Lotus 123 and Quattro Pro). It also
blocks .DIF, .SLK and .XLC, and only the latter two could be called
Excel file types. SP3 doesn't block any .XLS file types.

This latest security advisory doesn't mention whether the danger (in
Excel's own code) arises from loading files in these less used formats
or from .XLS files. However, since Microsoft's recommended fix (and a
very self-serving fix it is!) is to convert files to the new OOXML
file formats, and since one of their recommended means to do so
involves using a new product called MOICE, details for which may be
found in http://support.microsoft.com/kb/935865, and MOICE doesn't
even handle the file types blocked by SP3 - quoted from the linked KB
article,

MOICE currently supports the following document formats:
* .doc
* .ppt
* .pot
* .pps
* .xls
* .xlt
* .xla

That sure makes it appear that the new vulnerability is in Excel's own
file types, so SP3 would seem to be irrelevant to this new issue
except insofar as Microsoft being happy enough to block file types
that coincidentally happen to be the same ones they no longer support
in Excel 2007. Then again, maybe the new vulnerability is in the file
types blocked by SP3, but Microsoft is using this as just another way
to push users into using OOXML file formats and spurring faster
upgrading to Office 2007. The only thing that's clear is the lack of
full disclosure is classic Microsoft.

Tangential: odd that .dot files aren't included.

Harlan Grove wrote...
....
That sure makes it appear that the new vulnerability is in Excel's
own file types, so SP3 would seem to be irrelevant to this new issue
....

Or maybe not. The security advisory does state that Excel 2003 SP3 is
safe. However, that would also mean there's no benefit to convert .XLS
files to OOXML files if you're using Excel 2003 SP3, and since MOICE
doesn't handle the file types blocked by Excel 2003 SP3 it's difficult
to see how using MOICE could resolve this vulnerability *IF* we were
to take Microsoft's statements at face value.

So, if the vulnerability arises from loading the file types blocked by
Excel 2003 SP3, MOICE won't fix the issue. But if the vulnerability is
in .XLS files, how can Microsoft claims Excel 2003 SP3 is safe?

Thu, 17 Jan 2008 08:42:20 -0600 from Bob I :

Stan Brown wrote:
And which formats are those? The article doesn't say, and neither do
the articles that it links to.


Information about certain file types that are blocked after you install
Office 2003 Service Pack 3
http://support.microsoft.com/kb/938810/en-us

Thanks!

I'm bemused to note that it categorizes .dbf as dBASE II files. My
..dbf were created in dBASE IV.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/
"If there's one thing I know, it's men. I ought to: it's
been my life work." -- Marie Dressler, in /Dinner at Eight/

Stan Brown wrote:

Thu, 17 Jan 2008 08:42:20 -0600 from Bob I :

Stan Brown wrote:

And which formats are those? The article doesn't say, and neither do
the articles that it links to.


Information about certain file types that are blocked after you install
Office 2003 Service Pack 3
http://support.microsoft.com/kb/938810/en-us


Thanks!

I'm bemused to note that it categorizes .dbf as dBASE II files. My
.dbf were created in dBASE IV.


Welcome, I suspect the extention is what is checked, not something in
the file header.