Microsoft Excel 97 CALL vulnerability
Security Information Week 2, 1999
Late last year a new security problem was reported in Microsoft Excel 97.
This has to do with the fact that potentially malicious programs can be run from an Excel worksheet without warning the user.
This is accomplished by use of the advanced CALL function in Excel. This function enables a spreadsheet to call a procedure in e.g. a DLL or other executables, which may carry out an unintended action. The CALL function itself is a legitimate program function and does not perform any harm - it is the corresponding executable which may perform the malicious action. Unlike the running of Excel macros, the CALL function embedded in a worksheet function does not generate a warning to the user before executing.
Microsoft has released a patch which disables this vulnerability (Excel Service Release 2 required).More information about the Excel CALL vulnerability is available from Microsoft's knowledge base article about this topic.
Per Olav Førland
