Microsoft 'testing a fix' after Tuesday's patch loosed new Excel 2003 bug


Microsoft Corp. yesterday told Excel users that one of the 12 patches issued Tuesday causes the spreadsheet to make mistakes in some calculations.

In a warning posted Thursday, Bill Sisk, security response communications manager, said that the fixes outlined in the MS08-014 bulletin "causes Microsoft Excel 2003 calculations to return an incorrect result when a Real Time Data source is used."

According to a more detailed addition to MS08-014, Excel 2003 Service Pack 2 (SP2) and Excel 2003 SP3 return an incorrect result -- usually "0" -- when a Real Time Data source is used in a Visual Basic for Applications function, or macro.

"If you have applications that leverage Real Time Data sources in Visual Basic for Applications functions, we recommend that you perform additional testing before initiating a wide deployment of the update," advised the new version of the bulletin.

Real Time Data was added to Excel in the 2002 version of the spreadsheet, and allows users to have data automatically pushed into a spreadsheet from a variety of sources, Web sites included.

"Our teams are testing a fix and will release it once it meets our quality bar for broad distribution," Sisk promised.

In the meantime, Microsoft suggested that users run any function containing a Visual Basic macro that refers to a Real Time Data source on each cell individually, rather than on an array of cells.

On Tuesday, Microsoft rolled out four security bulletins that patched a dozen vulnerabilities, all in Office, including seven critical bugs in Excel under the umbrella of MS08-014. Microsoft did not specify which of the seven fixes "broke" Excel 2003's calculations of Real Time Data.

One of the patches deployed Tuesday fixed an Excel flaw that had been exploited for at least two months in targeted attacks.