Zero-Day Excel Exploit In the Wild

snydeq writes "Microsoft Excel has a zero-day vulnerability that attackers are exploiting on the Internet, according to security vendor Symantec. The problem affects Excel 2007 both without and with Service Pack 1, according to an advisory on SecurityFocus, and other versions going back to Excel 2000. The program's vulnerability can be exploited if a user opens a maliciously crafted Excel file, allowing a hacker to leave a Trojan horse on the infected system."

An Exploit

An exploit? In my Microsoft product?

SAY IT AIN'T SO!!!

Random E-mails

[0prime]

Well, let me just open this excel file detailing the financial agreement I will be making with Mr. Ugubu. Surely there is nothing wrong with opening attachments from untrusted sources.

Re:Random E-mails

[the_humeister]

What do you mean "untrusted." He just sent me an email detailing how he is the caretaker of the Nigerian's former king's fortune. It sounds official too.

Re:Random E-mails

[gEvil+(beta)]

What do you mean "untrusted." He just sent me an email detailing how he is the caretaker of the Nigerian's former king's fortune. It sounds official too.

No kidding. I got an email a few weeks ago from Kofi Annan that talked about how he and some "big wigs at the UN" (his words, not mine) were looking for ways to split up some money, and he was wondering if I would be interested in receiving a share. I've heard of Kofi Annan and know that he was associated with the UN at one point, so it doesn't get any more official sounding than that.

Re:Random E-mails

[Lord+Ender]

Surely there is nothing wrong with opening attachments from untrusted sources.

The real danger is in opening attachments from trusted sources. If this is used with an email worm, it will look like it is coming from your friends, coworkers, or any of your eight bosses. As a high priority, due yesterday, mission-critical action-item.

Re:Random E-mails

[aarroneous]

I was just thinking that - it's 2009. Who is still opening DOC or XLS attachments?

Umm... practically any company that does business with any municipal or state governmental agencies, law firms, accounting firms, etc etc. The question is who isn't opening DOC or XLS attachments from their clients, and how do they plan to stay in business?

A work-around for it... apk

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

APK

Re:A work-around for it... apk

[fuzzyfuzzyfungus]

That is only a workaround if you hate the guts of everybody who works the help desk...

Re:A work-around for it... apk

[meringuoid]

The average end-user doesn't want to have to open registry editors and manually modify esoteric values in obscure text configuration files. No matter how much hobbyists and enthusiasts wish otherwise, until there's an idiot-proof GUI that makes all of this happen in a single click, Windows will never be ready for the mainstream desktop.

Re:Simple Answer for Microsoft...

[the_humeister]

Yes, and then break all compatibility with all current applications that are currently running on Windows.

Besides, Darwin is open source. MS could just use Darwin as the base and write a Windows compatible GUI on top of that.

And what about SharePoint?

[Penguinisto]

While such a vector would be pretty useless on the public nets, just out of academic curiosity, I wonder: how fast would this critter would travel if it got loaded onto a SharePoint site (you know, one with the handy Excel-handling plugin turned on?)

Looking at it from the other end, how do you protect from such an eventuality without shutting off the plugin?

/P

Re:Simple Answer for Microsoft...

[commodoresloat]

Yes, and then break all compatibility with all current applications that are currently running on Windows.

That's an added advantage of such an approach. Bonus!

Re:zero day?

[orzetto]

I think it is the count of how much time Microsoft has been working on the bug.

Another reason I can't use OpenOffice .....

[whoever57]

With yet another incompatibility between OpenOffice and Excel, I really can't use OpenOffice.

Re:zero day?

[PitaBred]

Zero-Day does not mean the day the bug was released. It means that it is a bug that is being exploited in the wild before a patch can be released. It doesn't matter when the bug was first coded. Compare that to a theoretical bug discovered by researchers that COULD be exploited, but isn't yet.

I normally wouldn't respond to an AC seemingly obvious misconception, but the fact that he was modded up means that people with mod points apparently don't have a clue, either...

According to MS? It IS a work-around for this

"That is only a workaround if you hate the guts of everybody who works the help desk." - by fuzzyfuzzyfungus (1223518) on Tuesday February 24, @03:33PM (#26974607)

I suggest you do a bit of reading here then from the URL below...

(Simply because, based on the data about this (straight from the horses' mouth @ MS)? There is a GOOD chance your networking folks will merge this on bootup logon scripts to protect you with it, @ this point so far @ least!)

Microsoft Security Advisory (968272)

Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/968272.mspx

----

SALIENT EXCERPT/QUOTE:

"Suggested Actions

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section:

For Office 2003

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001

Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates must be applied.

Impact of Workaround: Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

For 2007 Office system

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001

Note In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

Impact of Workaround: Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

How to Undo the Workaround:

For Office 2003

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000000

For 2007 Office system

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000000"

----

Especially since currently there is apparently NO other way to @ least protect yourself from this attack...

APK

P.S.=> The "adverse impacts" of this temporary work-around fix, IF any, are listed on said page also... apk

Re:According to MS? It IS a work-around for this

[fuzzyfuzzyfungus]

"will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System"

That isn't going to go over well. At all.

Re:According to MS? It IS a work-around for this

[Planesdragon]

I say that, simply because, @ least in the workplace, where folks use Excel spreadsheets for daily accounting purposes (& other uses too)? It's NOT going to "go over well" @ all- Especially since I am certain those people will probably NEED to access said spreadsheets to some degree (in the timeframe it takes MS to make up a binary patch for Excel)

*ahem*

1: Excel 2007 has seperate file types for "yes macro XML", "no macro XML", and "old crappy binary" formats. .xlsx, .xlsm, and .xls, respectively. The first, .xlsx, is immune to trojan hacks the same way a .txt file in notepad is immune to them.

2: Excel 2003 has a COMPLETELY FREE UPDATE that lets it write and read .xlsx files.

3: Anyone who isn't using 2007 or 2003 can use OpenOffice, which, again, is highly resistant (immune?) to this bug. And can save to .xlsx.

Anyone using Excel probably needs it--but the few of us who use Excel and need macros, well, we should be smart enough to avoid viruses. Users who aren't can stick to .xlsx, and they'll be all set.

Re:zero day?

[Lord+Ender]

the fact that he was modded up means that people with mod points apparently don't have a clue, either...

Welcome to slashdot!

Next up: Zero-day Notepad exploit found

[kkrajewski]

Reading plaintext unsafe. News at eleven.

Re:zero day?

[wastedlife]

The fact that this was modded informative is one of the funniest things I've seen all day.

MS Vista becoming more secure?

[wealthychef]

FTFA: "Hackers have increasingly sought to find vulnerabilities in applications as Microsoft has spent much effort into making its Vista OS more secure."

Is this true? Any corroborating info from anyone?

Re:MS Vista becoming more secure?

[StikyPad]

Saying you've never had a virus without ever scanning your PCs is like saying you've never had an STD without ever getting tested. In both cases, you can have infections without symptoms, and the infections can be transmitted. Yes, there are false negatives, but that's no excuse to abstain from testing.

Granted, you said "never had a problem," not "never had a virus," but what you really meant was that you've never seen a problem. Considering that most malware these days is designed to run unnoticed rather than to cause harm to the desktop, that's not really surprising. There ARE worms that affect Vista, and for all you know, your servers have rootkits on them. Or not. One thing's for sure: it's irresponsible, borderline incompetent to admin a Windows network without any AV, especially a corporate network (i.e., those that probably store private AND valuable information, as opposed to simply private information that's probably on your desktops at home).

Coincidence?

[chill]

Once, long ago, Excel had a full flight simulator hidden in the code. Then Microsoft created the Flight Simulator team and it was one of their landmark "games".

Fast forward many years. Microsoft closed down Flight Simulator and a few days later there is a "several year old zero-day" exploit in, of all places, Excel.

Coincidence? I THINK NOT! Paybacks are a bitch, aren't they Mr. Ballmer?

Funny, but that won't help solve the problem.

[jbn-o]

Some people have jobs which require opening email attachments from unknown people. Secretaries are often the first point of contact for files sent by the general public. The secretary is often charged with opening the attached file(s) to make sure they're conformant in some organizational sense, then placing a copy of the file somewhere appropriate (such as a file server where other people can further vet the files).

I can easily see a situation where people are asked to upload files via a website to be opened by a committee later. Then everyone on the committee could be running on their machine with an administrative account (common for people who just bought a computer, sometimes having an admin account is viewed as a position of power and privilege).

I'm not saying that any of these problems can't be solved. I'm saying that to frame the issue as strange malcontents trying to take advantage of someone isn't addressing the complexity of the issue at hand.

It seems that this is just another area where overly-capable file formats, proprietary software, and programs that attempt to do too much are all coming together in an unpleasant way...again.