Security Experts Weigh In on Excel Bug
- By Jabulani Leffall
IT pros looking at solutions to the Microsoft
that popped up as part of last
week's patch release
said Monday that the cell calculation snafu plaguing
Excel 2003 isn't so much a security issue as it is a pain in the neck for programmers
and Windows application developers.
"It's annoying but the worse thing to do is back out of the patch because
it does what it's supposed to," explained Jason Miller, manager of the
data and information team at St. Paul, Minn.-based Shavlik Technologies. "In
the meantime, Microsoft has issued a workaround so what they'll do now is issue
a new patch some time in the future."
Redmond on Friday updated Security
Bulletin MS08-014 to give technologists a better understanding of what was
happening on spreadsheets across the country at the end of last week. For instance,
if your finance department wanted to run customizable models for strategic acquisitions
or download real-time stock quotes and earnings multiples into an instantly
updatable Excel file, you were out of luck: Your calculations of various cells
came to a value of zero, in many cases.
At the root of the problem is the use of arrays calculated from real-time data
in what essentially becomes an interactive worksheet with workflow-based pivot
tables on spreadsheet tabs.
Simply put, the array is a group of data segmented
in digestible customizable batches, which is what Excel is made to do. These
arrays are the sum of many data parts consisting of a cluster of objects that
can be culled from, say, a SQL Server, Oracle database and/or an ERP package-backed
database via Visual Basic for Applications or VBA. If the VBA filter is working
properly, then the data can be accessed easily by indexing -- which is, again,
what Excel is made to do. In most programming languages, every individual element
is usually the same data type comprised of a larger block of information occupying
a contiguous area of storage.
"Let's say you have four columns with individual info in four cells,"
said Miller, who was working with staff on Monday to find his own
in-house workaround. "With this bug, you wouldn't be able to calculate
the sum of those columns or combine them to calculate the sum. It comes to zero.
Then you would have to refresh and repopulate the cells."
Redmond suggested "changing the macro configuration and running the function
on each cell individually instead of on the array of cells."
While this is a quick-fix solution for the majority of Excel 2003 users, the
real-world application of the popular spreadsheet program is being stretched
to the limits by the dynamic requirements of some business segments -- particularly
finance, where data is most often used in real time.
For instance, Geva Perry, chief marketing officer at GigaSpaces, a New York-based
software consultancy that provides scalability services for high-volume transactional
applications, said some equity and bond traders are attached to Excel to the
extent that switching to new spreadsheet software is not a viable alternative.
This, despite the fact that even on Excel 2007, there has been known to be a
lead time of almost 15 minutes for a routine refresh of a worksheet, thus affecting
efficiency in a "now" environment.
And as such problems pertain to a bug, this isn't an uncommon variance as miscalculation
glitches have been found recently in late editions of Excel.
In September of 2007, a similar
bug emerged in Excel 2007 that caused some multiplication tables to return
erroneous results. A month later, the short-term fix became available for downloading
per a posting on the Excel blog for both Excel 2007 and Excel Services 2007
in its 32-bit and 64-bit versions. Microsoft also published Knowledge
Base articles about the Excel 2007 and Excel Services 2007 bugs. The permanent
fix for that one is slated to be included in the first service pack for Office
While these events may eventually become a concern for on-the-go finance types, Dee Liebenstein of Scottsdale, Ariz.-based
Lumension Security doesn't see a whole lot of cause for alarm right now.
"Like any patch management program, it comes down to accessing the risk,"
said Liebenstein, who is Lumension's senior director of product management.
"I would say if you haven't already patched Excel, just go ahead and do
it for the workstations that don't use this real-time capability, and in many
enterprises there will be more workstations that don't."
How soon Redmond will roll out a new patch is anybody's guess, but experts
agree that Microsoft wants to bide its time to get it right, especially given
the numerous lines of code required to make the popular number-crunching app
run the way it's supposed to.
"Given what's going on, I'm confident [Microsoft] will make sure the new
patch is fully tested and ready for primetime before it hits the streets,"
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.