Scott's Weblog The weblog of an IT pro specializing in cloud computing, virtualization, and networking, all with an open source view

Zero-Day Excel Exploit

Less than a month after the disclosure of a zero-day exploit in Microsoft Word, another zero-day exploit has been found in Microsoft Excel and is being exploited in a highly targeted attack. As with the Word vulnerability, this one has shown up in attacks against a single customer, but it has gotten the attention of many of the major security vendors.

Brought to my attention by this eWeek article and this posting on Thincomputing.net, the Excel exploit has been disclosed by Microsoft on the Microsoft Security Response Center weblog. From the specific post on the MSRC for this exploit:

In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker.

So, security best practices will protect you—just don’t open unsolicited attachments via e-mail. If the e-mail claims to be from someone you know, contact them directly and see if they sent the message to you. If they don’t know what you’re talking about, then the message sender is most likely spoofed (faked) and can’t be trusted.

Additional information on protecting yourself against this vulnerability is available in this just-released Microsoft security bulletin.

Note also that Secunia has posted an advisory on this issue as well. All the major anti-virus vendors are also stating that their signatures have been updated to watch out for malicious Excel files containing the exploit. However, this attack may morph or mutate in the future, easily bypassing simple signature-based detection, so I wouldn’t count on this as your only layer of protection.

On a slightly related note, this article at Darkreading.com points out that exploits and/or exploit code already exist for almost one-third of the exploits patched in the latest round of Microsoft patches. This underscores the need for organizations to remain as current as possible with security patches, since it now appears that many malicious entities are reverse-engineering the patch to create a virus or worm. This approach seems to work well, too, since most organizations don’t stay on top of patches.

Metadata and Navigation

Be social and share this post!