Microsoft Confirms Excel Zero-Day Attack

Guglio writes "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business. The latest zero-day attack comes just two days after Patch Tuesday (coincidence?) and less than a month after a very similar, 'super, super targeted attack' against business interests overseas. The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."

Patches Available

[GogglesPisano]

Patches for this problem available here, here and here.

Re:Why read the article?

[Solder+Fumes]

You're waiting for Swordfish (2001)?

Re:HOW!?!!?!

[Opportunist]

In this case it isn't a macro, they're using a buffer overflow error in the code that loads and interprets MS-Office files.

Basically, what happens is that the Office reading routine creates room on the stack for some variable, to hold X bytes. Right behind those X bytes, there is the return address for the subroutine (so the reader subroutine can actually come back to the original program).

Now, this return address is being overwritten by an address that points into the spreadsheet instead (it's not THAT simple, but that's the general idea behind it). And in that area of the spreadsheet, you don't find spreadsheet data but instead you have executable code. Which is then, of course, executed (because Office thinks it's "his" code).

Quite simple. And easily avoided (the way to do it can be seen below in another subthread, by a rather good example).