Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Excel Exploit In the Wild

Posted by kdawson on from the be-careful-out-there dept.

snydeq writes "Microsoft Excel has a zero-day vulnerability that attackers are exploiting on the Internet, according to security vendor Symantec. The problem affects Excel 2007 both without and with Service Pack 1, according to an advisory on SecurityFocus, and other versions going back to Excel 2000. The program's vulnerability can be exploited if a user opens a maliciously crafted Excel file, allowing a hacker to leave a Trojan horse on the infected system."

12 of 117 comments (clear)

  1. Random E-mails by 0prime · · Score: 5, Funny

    Well, let me just open this excel file detailing the financial agreement I will be making with Mr. Ugubu. Surely there is nothing wrong with opening attachments from untrusted sources.

    --
    I am not a *blank*, but I did stay at a Holiday Inn Express last night.
    1. Re:Random E-mails by the_humeister · · Score: 4, Funny

      What do you mean "untrusted." He just sent me an email detailing how he is the caretaker of the Nigerian's former king's fortune. It sounds official too.

    2. Re:Random E-mails by Lord+Ender · · Score: 5, Insightful

      Surely there is nothing wrong with opening attachments from untrusted sources.

      The real danger is in opening attachments from trusted sources. If this is used with an email worm, it will look like it is coming from your friends, coworkers, or any of your eight bosses. As a high priority, due yesterday, mission-critical action-item.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    3. Re:Random E-mails by aarroneous · · Score: 5, Insightful

      I was just thinking that - it's 2009. Who is still opening DOC or XLS attachments?

      Umm... practically any company that does business with any municipal or state governmental agencies, law firms, accounting firms, etc etc. The question is who isn't opening DOC or XLS attachments from their clients, and how do they plan to stay in business?

  2. And what about SharePoint? by Penguinisto · · Score: 4, Interesting

    While such a vector would be pretty useless on the public nets, just out of academic curiosity, I wonder: how fast would this critter would travel if it got loaded onto a SharePoint site (you know, one with the handy Excel-handling plugin turned on?)

    Looking at it from the other end, how do you protect from such an eventuality without shutting off the plugin?

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  3. Re:zero day? by orzetto · · Score: 4, Funny

    I think it is the count of how much time Microsoft has been working on the bug.

    --
    Victims of 9/11: <3000. Traffic in the US: >30,000/y
  4. Another reason I can't use OpenOffice ..... by whoever57 · · Score: 5, Funny

    With yet another incompatibility between OpenOffice and Excel, I really can't use OpenOffice.

    --
    The real "Libtards" are the Libertarians!
  5. Re:zero day? by PitaBred · · Score: 5, Informative

    Zero-Day does not mean the day the bug was released. It means that it is a bug that is being exploited in the wild before a patch can be released. It doesn't matter when the bug was first coded. Compare that to a theoretical bug discovered by researchers that COULD be exploited, but isn't yet.

    I normally wouldn't respond to an AC seemingly obvious misconception, but the fact that he was modded up means that people with mod points apparently don't have a clue, either...

    --
    My blog. Good stuff (when I remember to update it). Read it.
  6. According to MS? It IS a work-around for this by Anonymous Coward · · Score: 5, Informative

    "That is only a workaround if you hate the guts of everybody who works the help desk." - by fuzzyfuzzyfungus (1223518) on Tuesday February 24, @03:33PM (#26974607)

    I suggest you do a bit of reading here then from the URL below...

    (Simply because, based on the data about this (straight from the horses' mouth @ MS)? There is a GOOD chance your networking folks will merge this on bootup logon scripts to protect you with it, @ this point so far @ least!)

    Microsoft Security Advisory (968272)

    Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution

    http://www.microsoft.com/technet/security/advisory/968272.mspx

    ----

    SALIENT EXCERPT/QUOTE:

    "Suggested Actions

    Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section:

    For Office 2003

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

    "BinaryFiles"=dword:00000001

    Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates must be applied.

    Impact of Workaround: Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

    For 2007 Office system

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

    "BinaryFiles"=dword:00000001

    Note In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

    Impact of Workaround: Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

    How to Undo the Workaround:

    For Office 2003

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

    "BinaryFiles"=dword:00000000

    For 2007 Office system

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

    "BinaryFiles"=dword:00000000"

    ----

    Especially since currently there is apparently NO other way to @ least protect yourself from this attack...

    APK

    P.S.=> The "adverse impacts" of this temporary work-around fix, IF any, are listed on said page also... apk

  7. Re:zero day? by Lord+Ender · · Score: 5, Informative

    the fact that he was modded up means that people with mod points apparently don't have a clue, either...

    Welcome to slashdot!

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  8. Next up: Zero-day Notepad exploit found by kkrajewski · · Score: 5, Funny

    Reading plaintext unsafe. News at eleven.

  9. Coincidence? by chill · · Score: 5, Funny

    Once, long ago, Excel had a full flight simulator hidden in the code. Then Microsoft created the Flight Simulator team and it was one of their landmark "games".

    Fast forward many years. Microsoft closed down Flight Simulator and a few days later there is a "several year old zero-day" exploit in, of all places, Excel.

    Coincidence? I THINK NOT! Paybacks are a bitch, aren't they Mr. Ballmer?

    --
    Learning HOW to think is more important than learning WHAT to think.