back to article Zoll Defibrillator Dashboard would execute contents of random Excel files ordinary users could import

A defibrillator management platform was riddled with vulnerabilities including a remote command execution flaw that could seemingly be invoked by uploading an Excel spreadsheet to the platform. Or so warned the US's Cybersecurity and Infrastructure Security Agency, which said the Defibrillator Dashboard software, made by …

  1. Eclectic Man Silver badge

    Excel

    As has been suggested many times on the Register's comments sections, there needs to be a serious review of the uses of Excel in organisations' IT.

    1. Headley_Grange Silver badge

      Re: Excel

      Summary of my experiences installing/upgrading ERP/MRP/CRM systems

      Director: "And get rid of all that Excel stuff - I want everything on the new system. We can't afford to be shifting stuff back and forth between Excel and if Anna leaves no-one knows how to compile the reports cos she wrote all those macros that no one understands"

      Team: "These are the costs of customizing the vanilla product to match our current processes."

      Director: "Bugger that. There's nothing special about what we do so we'll change our processes to fit the vanilla product. "

      .... vanilla system installed, processes changed, all tested, gone live, things running smoothly......

      Director, waving powerpoint full of Excel charts: "I need the report that looks like this for this quarter"

      Team: "We can't do that because you wouldn't pay for customization or for the OLAP add-on"

      Director: "But I need it tomorrow for the board meeting. Just do it all in Excel"

      Team "...anyone got Anna's phone number?"

      1. Binraider Silver badge

        Re: Excel

        My work life, every day, every week.

        Letting the Human Glue break now and then might force the investment required. I'm not betting on it.

        1. Eclectic Man Silver badge

          Re: Excel

          I once did an ISO 27001 review of an organisation. Each sales person / representative had their own little Excel spreadsheet or other means of recording their contacts. I hd to point out that firstly, they were the organisations' clients not the salespeople's clients so should all appear on an organisation database, and secondly, as each person's way of storing their client data was ad hoc, there was no chance that anyone would be able to retrieve that data in the absence of the originator and thirdly, this way of handing personal details 300 (yes three HUNDRED) separate 'databases' was almost certainly in breach of then data protection legislation.

          Excel is wonderful, for some things, but the problem is that 'ordinary people'* rather than database specialists can use to store and manage data without really knowing very much and can get into an awful mess.

          We should leave it to the highly trained professionals, probably.

          *for example, me.

    2. Anonymous Coward
      Anonymous Coward

      Re: Excel

      I see "Purchase Orders" arrive as Excel spreadsheets every week or two although these days more of the infection attempts arrive as Purchase_Order.HTML ... occasionally they are real. To keep everyone safe I block all suspect attachments in the mail-server and only release them after a detailed check.

      1. Anonymous Coward
        Anonymous Coward

        Re: Excel

        What? Any fool knows you send purchase orders as PDFs.

        Otherwise the recipient could edit them to say whatever they wanted.

        (Anon, cuz I've worked with people that think like that... you know, people who think the 'P' stands for 'permanent')

      2. Anonymous Coward
        Anonymous Coward

        Re: Excel

        I've seen invoices created off-system for an important customer who insisted on a special template. The accounts system could manage this without much effort but for some reason it was all done via Excel. A macro pulled the data from accounts, created the invoices, mailed them to the customer's hard-coded email address, set the ledger flag to "issued" and printed a copy on the printer that used to be in Accounts - now somewhere else and next to a handy shredder, which is where the invoices were put by the locals. It worked fine until the customer changed email address and got pretty annoyed when they were hassled for not paying invoices they had never seen.

  2. Rob Daglish Bronze badge

    Quite frankly, I find this shocking…

    Ah…

    1. Korev Silver badge
      Coat

      Yeah, it wouldn't be too heart to fix...

  3. DJ
    Joke

    ..but is this current? (sorry)

  4. Ken Moorhouse Silver badge

    Upgrade to a Derillator

    No more fibs.

  5. vtcodger Silver badge

    Going home

    I'm having a bit of trouble with the concept of fleets of defibrillators controlled by Excel spreadsheets. Am I misreading something? No?

    Look, I wasn't all that wild about the parallel universe I was living in. In fact, it looked to be wall-to-wall crackpots back there. But I'm clearly not cut out for this one. Can anyone provide me with instructions for returning home where my biggest worry was whether Covid vaccine would magnetize me?

  6. JWLong

    This gives.......

    ....... a new meaning to BSOD.

  7. Anonymous Coward
    Anonymous Coward

    I had some experience at a vendor for Zoll some years back.

    Let's just say that if I'm ever in the back of an ambulance and the medics start hooking me up to equipment that says Zoll on the box, my heart may react poorly.

  8. David 132 Silver badge

    "Executes the contents of the spreadsheet"... Wait, wha..?

    Why are spreadsheets even being "executed"?

    This reminds me of that XKCD cartoon where the punchline was "the server crashes if the user's password is a resolvable URL"...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022