Any organisation which uses Excel spreadsheets needs to take action:
The Australian Government Cybersecurity Centre has released a critical alert arising from a newly discovered weakness that allows criminals to weaponise Excel spreadsheets. (CVE-2021-42292)
- Check whether your firm uses the affected Excel/MS Office versions
- Patch vulnerable software
- In the meantime, treat incoming Excel spreadsheets with even more suspicion than usual.
Is my firm likely to have a problem?
Affected software may be quite widespread in law firms. Many server and local computer-based installations of Microsoft Office and Microsoft Excel, including versions for Apple devices, are impacted. Not every version of Excel is an issue. Excel as part of Office 365 is not currently identified as a problem, although some apps which go with it are.
What is the risk?
If your system is vulnerable, criminals can hide code inside Excel spreadsheets, which allows them entry to your computer network. A staff member would need to open the spreadsheet for the attack to start.
It is worth remembering that this is always the case to some extent – macros in many Microsoft documents can work in the same way. We should always be very cautious opening MS Office documents from unexpected or unknown sources. However, this new vulnerability bypasses many of the protections otherwise available.
What should your firm do?
Firstly, remind staff not to open spreadsheets unless they are confident of the source. Always check that it comes from the correct email address (not one that looks similar) and inspect the content using the preview function before opening it. This is always a useful reminder in any event.
Secondly, check with your IT support whether you have affected software versions and that it will be ‘patched’ shortly. (A patch is a software update released by the software vendor which fixes a problem.)
If you have staff working from home using their own computers, remember that these devices will be vulnerable as well.
Keeping software up to date is more critical than ever
There has been a flood of critical vulnerability alerts affecting common software this year. Cybercriminal organisations have stolen hundreds of millions of dollars in recent times and can resource teams of specialists to discover holes in network security.
When a vulnerability is found, criminals know they have a limited period to exploit it and do so quickly. Software vendors are usually close behind with a patch to fix the problem, but that does not work until it is applied.
All firms using IT equipment (including phones, servers, laptops, etc.) must ensure they are using up-to-date versions of software and that patching is done regularly. In most cases even small firms should obtain expert help in doing this.