Excel Flaws! Got Your Excel Flaws Right Here!

You would think that the killer application that launched an industry more than 15 years ago would be mostly free of flaws and vulnerabilities, but the complexities of Excel and the other applications in Microsoft Office are even more bewildering today than they were then. Excel’s Options dialog is a candidate for worst user interface ever. Typically, it takes two or three tab clicks to locate the desired option, and there are 13 tabs, each chock full of options! But the main problem is inconsistency — some of the options affect only the active sheet, and others affect Excel as a whole. These options are scattered all over the place, and some are sprinkled into the Customize dialog. Even worse, the Options dialog offers a number of buttons that, when clicked, display other dialogs that contain even more options.

According to the CNET News.com report by Joris Evers, eBay halts auction of Excel flaw:

An online auction of a “brand new vulnerability” in Microsoft Excel had reached about $60 when eBay pulled the item late Thursday. A seller using the name “fearwall” started the auction Wednesday evening [Dec. 7, 2005] at 1 cent. It was up to $56 on Thursday afternoon with 21 bids placed, and eBay quashed the auction soon after that.

eBay has a policy of not encouraging illegal activity, so it made sense for the auction site to remove the item. The flaw was described in the eBay auction description (now removed) as follows:

Microsoft Excel does not perform sufficient data validation when parsing document files. As a result, it is possible to pass a large counter value to [the] msvcrt.memmove() function which causes critical memory regions to be overwritten, including the stack space. The vulnerability can be exploited to compromise a user’s PC. It is feasible to manipulate the data in the document file to get a code of [the] attacker’s choice executed when [the] malicious file is opened by MS Excel. The exploit code is not included in the auction. You must have very advanced skills if you want to further research this vulnerability.

While the eBay auction might have been a hoax, Microsoft is treating the vulnerability as real (see Microsoft Excel Unspecified Memory Corruption Vulnerability and the report in The Register by Robert Lemos of SecurityFocus).

Vulnerabilities aside, there are plenty of other reasons to eschew Excel. Reviewers of have largely been, well, disappointed. “The real innovation is the Page view, showing you how your printed spreadsheet will look while you work with live data; beyond that, though, it’s a little disappointing,” said one [Microsoft Excel 2004 for the Mac review, MacUser, May 2004]. “We’d even argue that many of the features, such as formula error-checking, should have been provided as a service update.” Another reviewer wrote, “This latest release of Excel can be summed up in one word: DISAPPOINTING” [Excel 2003 Review by John Walkenbach of The Spreadsheet Page].

As an anonymous poster pointed out in a comment to the CNET News story, “Why should editing an Excel document have anything to do with affecting your PC’s general operation? It’s insane.”


Leave a Reply

Your email address will not be published. Required fields are marked *