Microsoft Reissues Security Patch for Excel 2003

A calculation-error bug in Microsoft Office Excel 2003, which was acknowledged by Microsoft last Friday, has been resolved with a security update.

Microsoft Security Response Center (MSRC) blogger Tim Rains pointed to an updated security bulletin, MS080-014, dated March 19. The bulletin had originally been issued on March 11 during the Patch Tuesday update cycle, with the aim of addressing four "critical" fixes in Microsoft products, including a remote code execution flaw in Excel 2003.

The initial patch fixed Excel 2003's security problem, but unmasked the calculation problem too.

The revised bulletin MS080-014 points readers to an updated security update 943985 (buried in MS080-014's FAQ), which resolves the Excel 2003 calculation error. The 943985 security update states the following under "Resolution":

"Microsoft has completed research about this issue and has re-released security update 943985 for users of Microsoft Office Excel 2003 Service Pack 2 and of Microsoft Office Excel 2003 Service Pack 3."

This rereleased Excel 2003 security fix also will be offered to users through Microsoft's Automatic Updates.

Blogger Rains explained that the Excel calculation error was associated with the use of real-time data in Excel, based on a "user-created Visual Basic for Applications solution." Such a setup returned an incorrect zero result after the initial Excel 2003 security patch had been applied.

The problem tended to affect "on-the-go finance types," according to expert opinion, and affected users tended to have "a custom-built VBA function" in place, Rains said.

About the Author

Kurt Mackie is online news editor, Enterprise Group, at 1105 Media Inc.