News

Zero-Day Exploit for Excel Now, Too

Microsoft last week added another to a running tally of Office zero-day exploits that currently includes four known Word attacks.The software giant confirmed that it was investigating reports of a new round of "very limited" Excel zero-day attacks that exploit vulnerabilities in Office 2000, Office 2002 (XP), Office 2003 and Office 2004 Mac Edition.

While the new attacks specifically exploit Excel, Microsoft warned that "other Office applications are potentially vulnerable" and advised customers to be wary.

The new attacks exploit a very familiar vector: An attacker entices an unsuspecting user to open a malicious Excel file, usually by means of attaching it to an e-mail or by providing a URL from which it can be downloaded. From there, Microsoft says, a successful attacker could gain complete control over a compromised machine.

"This is an issue that could allow an attacker to execute code on a user's machine in their security context by convincing them to open a specially-crafted Office document," confirmed Alexandra Huft in a posting to Microsoft's Security Research Center (MSRC) blog last week. "We are aware of very limited, targeted attacks attempting to use the vulnerability reported."

The new Excel exploit is the second in as many weeks: Late last month, the software giant confirmed another Word zero-day exploit, bringing the tally of known Word zero-day attacks to four.

Security researcher Symantec Corp. last week identified a possible fifth Word zero-day exploit, but ultimately concluded that the new attacks -- which were submitted to Symantec by affected client organizations -- were instead variations of an existing Word Unspecified Code Execution Vulnerability.

The software giant hasn't yet issued patches for any of the four known zero-day exploits, but with February's Patch Tuesday looming, Microsoft will hopefully close the loop on these and other outstanding issues. Stay Tuned.

A View to a Kill
Elsewhere, Symantec produced a video that purports to illustrate what to expect from any of several "targeted" Word attacks (in this case, Trojan.Mdropper.W) The salient takeaway, writes Symantec researcher Elia Florio, is that "the vulnerability is exploited with no crash of MS Word, but within a few seconds the shellcode drops an executable and opens a clean legitimate document (with some real content) that deceives the user."

This attack is virtually stealthy, Florio confirms. "The only thing that 'smart' users can notice is a kind of 'flickering' of MS Word. This is because the malicious code has to terminate and then re-execute the MS Word application with the new clean .DOC. This 'flickering' happens very quickly."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.