Excel flagged as corporate security weak spot

Microsoft's Excel spreadsheet program has become a primary target for hacking attacks, according to security experts recently interviewed by Redmond magazine.

In the last 12 months, for example, Symantec has identified at least six Excel vulnerabilities for which there were no patches. Microsoft notified users of the latest zero day vulnerability last month, and previously released a set of Excel patches in its July 2007 security bulletin.

"The increase in attacks in Excel are numerous and the application seems to be at the forefront of ushering in frequent application-level attacks that we're seeing more of now than ever," Symantec Security Response manager Ben Greenbaum told Redmond, which calls itself the "independent voice of the Microsoft IT community."

Don Leatham of Arizona-based Lumension Security commented: "Out of all the applications sitting on networks and desktops around the globe, Excel lends itself to be the most natural attack target because of its ubiquity in the corporate world."

As hacking attacks increased on Windows applications, Microsoft has put a lot of effort into strengthening security in the core operating system, but this focus has taken attention away from vulnerabilities in end-user applications such as Excel, according to the security experts.

Leatham likened alien Excel files to pornography and urged security administrators to tell users not to open such documents. "How often to you hear about IT staff telling people not to click on these documents and they still do?" he asked.

To minimize the risks, he advised setting Excel to disable automatic execution of macros and monitoring Group Policy Objects.

The response from the Excel MVPs and experts on the Daily Dose of Excel Web site was skeptical, with Juan Pablo Gonzalez linking the scare story to another current debate: "I guess this could probably used as another excuse to kill VBA in future versions of Excel (and Office)."

Jon Peltier pointed out that the article relied heavily on opinions from experts from companies that provided security services. "If they can convince their clients that problems exist, they can increase their revenues," he noted, outlining a classic IT industry "fear, uncertainty and doubt" marketing strategy.

Peltier's suggestion for minimizing malicious attacks was to use a virtual machine for Internet access, without anti-virus software. So far the only "infection" he has experienced has been from tracking cookies. "What the IT guys fear from letting users use Excel and VBA is the loss of control over those users," he added.

By John Stokdyk, technology editor for our sister site, AccountingWEB.co.uk

You may like these other stories...

Event Date: May 29, 2014 In this presentation Excel expert David Ringstrom, CPA brings you up to speed on the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both...
No field likes its buzzwords more than technology, and one of today's leading terms is "the cloud." But it's not just a matter of knowing what's fashionable. Accounting professionals who know how to use...
There is a growing trend of accountants moving away from traditional compliance work to more advisory work. Client demand is there, but it is up to the accountants to capitalize on that. What should accountants' roles be...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.