Security Experts Weigh In on Excel Bug

IT pros looking at solutions to the Microsoft Excel bug that popped up as part of last week's patch release said Monday that the cell calculation snafu plaguing Excel 2003 isn't so much a security issue as it is a pain in the neck for programmers and Windows application developers.

"It's annoying but the worse thing to do is back out of the patch because it does what it's supposed to," explained Jason Miller, manager of the data and information team at St. Paul, Minn.-based Shavlik Technologies. "In the meantime, Microsoft has issued a workaround so what they'll do now is issue a new patch some time in the future."

Redmond on Friday updated Security Bulletin MS08-014 to give technologists a better understanding of what was happening on spreadsheets across the country at the end of last week. For instance, if your finance department wanted to run customizable models for strategic acquisitions or download real-time stock quotes and earnings multiples into an instantly updatable Excel file, you were out of luck: Your calculations of various cells came to a value of zero, in many cases.

At the root of the problem is the use of arrays calculated from real-time data in what essentially becomes an interactive worksheet with workflow-based pivot tables on spreadsheet tabs.

Simply put, the array is a group of data segmented in digestible customizable batches, which is what Excel is made to do. These arrays are the sum of many data parts consisting of a cluster of objects that can be culled from, say, a SQL Server, Oracle database and/or an ERP package-backed database via Visual Basic for Applications or VBA. If the VBA filter is working properly, then the data can be accessed easily by indexing -- which is, again, what Excel is made to do. In most programming languages, every individual element is usually the same data type comprised of a larger block of information occupying a contiguous area of storage.

"Let's say you have four columns with individual info in four cells," said Miller, who was working with staff on Monday to find his own in-house workaround. "With this bug, you wouldn't be able to calculate the sum of those columns or combine them to calculate the sum. It comes to zero. Then you would have to refresh and repopulate the cells."

Redmond suggested "changing the macro configuration and running the function on each cell individually instead of on the array of cells."

While this is a quick-fix solution for the majority of Excel 2003 users, the real-world application of the popular spreadsheet program is being stretched to the limits by the dynamic requirements of some business segments -- particularly finance, where data is most often used in real time.

For instance, Geva Perry, chief marketing officer at GigaSpaces, a New York-based software consultancy that provides scalability services for high-volume transactional applications, said some equity and bond traders are attached to Excel to the extent that switching to new spreadsheet software is not a viable alternative. This, despite the fact that even on Excel 2007, there has been known to be a lead time of almost 15 minutes for a routine refresh of a worksheet, thus affecting efficiency in a "now" environment.

And as such problems pertain to a bug, this isn't an uncommon variance as miscalculation glitches have been found recently in late editions of Excel.

In September of 2007, a similar bug emerged in Excel 2007 that caused some multiplication tables to return erroneous results. A month later, the short-term fix became available for downloading per a posting on the Excel blog for both Excel 2007 and Excel Services 2007 in its 32-bit and 64-bit versions. Microsoft also published Knowledge Base articles about the Excel 2007 and Excel Services 2007 bugs. The permanent fix for that one is slated to be included in the first service pack for Office 2007.

While these events may eventually become a concern for on-the-go finance types, Dee Liebenstein of Scottsdale, Ariz.-based Lumension Security doesn't see a whole lot of cause for alarm right now.

"Like any patch management program, it comes down to accessing the risk," said Liebenstein, who is Lumension's senior director of product management. "I would say if you haven't already patched Excel, just go ahead and do it for the workstations that don't use this real-time capability, and in many enterprises there will be more workstations that don't."

How soon Redmond will roll out a new patch is anybody's guess, but experts agree that Microsoft wants to bide its time to get it right, especially given the numerous lines of code required to make the popular number-crunching app run the way it's supposed to.

"Given what's going on, I'm confident [Microsoft] will make sure the new patch is fully tested and ready for primetime before it hits the streets," Liebenstein said.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.