Office

A third Excel flaw has been uncovered in a week, giving Excel users one more thing to worry about and opening one more door for hackers to get into corporate networks.

Here are more details on the third flaw; more details on the second flaw are also available from this article.  This posting also has additional information on the latest vulnerability.

Unfortunately, this new flaw is more critical than the second flaw discovered earlier in the week.  The second flaw required the user to click a specially-crafted hyperlink inside an Excel document, and the latest version of Excel even displayed a dialog box that had to be dismissed after clicking the link.  This new flaw, however, only requires that the user open the Excel document.

These new flaws underscore the need for users to be very wary of unsolicited Office attachments.  If you didn’t ask for it, it very well may be a malicious attachment—exercise caution.

In addition, the recent flaw in Microsoft Word and these flaws in Microsoft Excel have contributed to the placement of Microsoft Office on the SANS Top 20 list of vulnerabilities.

UPDATE:  In following up on these reports, I came across a few additional links with more information on the vulnerabilities, including information that proof-of-concept code to exploit the second Excel vulnerability was available:

Notice of exploit code availability:  http://www.eweek.com/article2/0,1759,1979409,00.asp
Secunia advisory on the second Excel flaw:  http://secunia.com/advisories/20748/
MSRC response to the second Excel flaw:  http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
US-CERT Vulnerability Note on the second Excel flaw:  http://www.kb.cert.org/vuls/id/394444

Less than a month after the disclosure of a zero-day exploit in Microsoft Word, another zero-day exploit has been found in Microsoft Excel and is being exploited in a highly targeted attack.  As with the Word vulnerability, this one has shown up in attacks against a single customer, but it has gotten the attention of many of the major security vendors.

Brought to my attention by this eWeek article and this posting on Thincomputing.net, the Excel exploit has been disclosed by Microsoft on the Microsoft Security Response Center weblog.  From the specific post on the MSRC for this exploit:

In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker.

So, security best practices will protect you—just don’t open unsolicited attachments via e-mail.  If the e-mail claims to be from someone you know, contact them directly and see if they sent the message to you.  If they don’t know what you’re talking about, then the message sender is most likely spoofed (faked) and can’t be trusted.

Additional information on protecting yourself against this vulnerability is available in this just-released Microsoft security bulletin.

Note also that Secunia has posted an advisory on this issue as well.  All the major anti-virus vendors are also stating that their signatures have been updated to watch out for malicious Excel files containing the exploit.  However, this attack may morph or mutate in the future, easily bypassing simple signature-based detection, so I wouldn’t count on this as your only layer of protection.

On a slightly related note, this article at Darkreading.com points out that exploits and/or exploit code already exist for almost one-third of the exploits patched in the latest round of Microsoft patches.  This underscores the need for organizations to remain as current as possible with security patches, since it now appears that many malicious entities are reverse-engineering the patch to create a virus or worm.  This approach seems to work well, too, since most organizations don’t stay on top of patches.