Excel Flaw Highlights Need for Better App Security

Experts believe the rising number of exploits targeting Excel gives hackers incentive to continually exploit applications -- rather than operating systems -- for flaws.

Don Leatham of Lumension Security has a first-step remedy to the ongoing security concerns around Microsoft's Excel application.

"IT guys should tell end users right off the bat that if they see an unrecognizable Excel document in their inbox, they should treat it like porn -- it's not something you should be opening up at work."

Extreme measures aside, because Excel is one of the most commonly used software applications of the planet, it's also increasingly the most common and frequent target for client-side attacks, security experts say.

In the last 18 months alone there were more than 33 documented vulnerabilities that pertained specifically to the popular spreadsheet program, a number Microsoft would neither confirm nor deny. While this seems like a large number -- an average of almost two every month for that duration -- these are just the documented cases. This prompts IT security mavens to assert that securing Excel -- even above Internet Explorer -- should be Job No. 1 where Windows programs are concerned.

"Out of all the applications sitting on networks and desktops around the globe, Excel lends itself to be the most natural attack target because of its ubiquity in the corporate world," said Leatham, director of solutions strategy for Lumension, which is based in Scottsdale, Ariz. "This is definitely the one program IT pros are really pulling their hair out over because more often than not, Excel documents carry sensitive information such as financial data and the like."

In mid-January, Microsoft's security group said there were continual attacks exploiting a flaw in most versions of the popular spreadsheet program.

The software giant's Security Response Center said the attacks were mostly sporadic and targeted rather than running amok in the wild. The remote code execution exploit, which has yet to be patched, has been deployed using a bug found mostly in Excel 2000, Excel 2002, Excel 2003 Service Pack 2, Excel Viewer 2003 and Excel 2004 for Mac.

Redmond released its last Excel-specific patch in August of 2007 when security bulletin MS07-044 was supposed to have plugged the same such vulnerabilities where the likely incursion methodology would be to attach a malformed document to an e-mail or stick it on a Web site, convincing users thereafter to open the file. In the workplace, security observers say the most common titles to these types of documents read: "pending layoffs," "executive salaries," "management bonuses" and the words "special project," with the name of the company coming after it in specific cases where the attacks were more targeted.

"The increase in attacks in Excel are numerous and the application seems to be at the forefront of ushering in frequent application-level attacks that we're seeing more of now than ever," said Ben Greenbaum, a manager for Symantec Security Response.

In the last 12 months, Greenbaum said Symantec had itself indentified at least six in-the-wild Excel exploits for which there were no corresponding patches.

As of the end of January, Microsoft had not ruled out patching Excel but still didn't disclose any specifics about its future plans. A spokesperson would only say that the company would "continue to investigate the public reports and customer impact, taking the appropriate action to help protect customers, when the investigation concluded."

Excel's Rise to Omnipresence
In 1985, Microsoft released for the Mac the first version of the application that's said to be on more than 85 percent of the world's PCs, with the first Windows version coming two years later in 1987. The release was an effort to compete with Lotus' then-market-leading 1-2-3 number crunching program, which eventually saw its share snatched by Excel in 1988. Many software historians even credit Excel with Microsoft's ascendancy. But from the 1990s on, the security focus was mainly on networks, due to the then-nascent Internet and then later the operating system, when Windows 95 catapulted Redmond into the software stratosphere.

But today, observers say that Microsoft spent so much time securing the OS that many independent service vendors such as security consultants and even IT and finance auditors followed Redmond's moves. Thus, in large part, not many foresaw how critical application security would be in a post-OS environment.

"It's possible that some companies have been more laid-back about patching their office products like Excel," said Graham Cluley, senior security consultant at Oxford, England-based security consultancy Sophos. "Meanwhile, application developers like Microsoft need to do more to ensure that their code cannot be exploited by crafty hackers looking to break into vulnerable PCs via buggy software."

This is easier said than done because although it's one of many programs in the Microsoft Office suite, Excel -- like IE -- is also a development platform that can be used to build macros, perform database table extractions and create and manipulate pivot tables. Thus, it's easy to hide nefarious intentions inside the tens of millions of lines of codes contained therein.

Moreover, Excel is emerging as an actual business intelligence tool that is falling under the purview of IT compliance as it relates to Sarbanes-Oxley and other business mandates.

Gregory Grocholski, finance director for Dow Chemical, likes to use Excel as an everyday example of how applications are changing the way companies look at not only IT security but its role in validating financial reporting.

"While an IT auditor may not audit Excel itself, the auditor should perform testing on the calculations that ultimately result in a number that would be used to make an accounting entry," he said. "That's a reason why such a program would need to be foolproof."

Meanwhile, as IT pros wait on a patch, Redmond has introduced at least one workaround for Excel 2003 and older versions. In a recent Knowledge Base article, Microsoft recommended running any foreign or seemingly nebulous attachments through the Microsoft Office Isolated Conversion Environment (MOICE). Still, that's an option that's not available for Excel 2000 or 2002.

And for those not quite ready to inject porn into the security conversation, Lumension's Leatham said security administrators should be double-checking Group Policy Objects and setting parameters on Excel programs that disable the automatic execution of macros. Also, locking up sensitive documents as read-only serves as an easy manual control to implement. Lastly, he said, an overlying enterprise policy is key.

"How often to you hear about IT staff telling people not to click on these documents and they still do?" he said. "From a back-end perspective, you pretty much have to wait for the patch and, when it comes, install it immediately. Until then, managing end users is a difficult challenge. Bottom line is that securing Excel should be on top of your IT shop's list."