Attack exploits unpatched Excel security hole
Attackers are attempting to exploit an unpatched security hole in Excel that could allow someone to take control of a compromised computer, Microsoft said in a security advisory on Tuesday.
The attack exploiting the Excel Unspecified Remote Code Execution Vulnerability requires a computer user to open an attachment sent via e-mail that has a maliciously crafted Excel document, according to the advisory.
Microsoft said it is working on a security fix to plug the hole and will release it after it has completed testing. In the meantime, Windows users are urged to avoid opening Office files from untrusted sources or that arrive unexpectedly.
Affected software includes Microsoft Office 2000, 2002, 2003, and 2007 and Microsoft Office 2004 and 2008 for Mac.
The exploit uses weak encryption in an attempt to evade detection, according to Symantec.
(Credit: Symantec)Symantec has discovered malicious files in the wild in Japan that attempt to exploit the vulnerability and has updated its antivirus software to detect the malicious spreadsheet files it has dubbed Trojan.Mdropper.AC, the company said in a blog posting on Tuesday.
The risk is low and there have been few infections, Symantec said in an advisory. It lists Windows Vista and XP as affected systems.
"It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format," Symantec wrote. "Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system--the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This helps to decrease suspicion when the affected spreadsheet is opened."
Microsoft also on Tuesday announced the availability of an update for Windows Autorun that allows people to selectively disable the Autorun functionality for drives on a system or network to provide more security.
The update addresses an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected. Disabling Autorun functionality can help prevent the execution of arbitrary code when a removable storage device is used.
The Autorun functionality has been blamed for malware that has infected USB thumb drives, leading to a temporary ban on their use at the U.S. Defense Department, and digital photo frames, among other storage types.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Beware of what you download, and don't trust your anti-virus to save you ...
Depends on a few factors:
* was it caught before distribution?
* are there A/V sigs for your A/V setup that can/will detect it?
* does the malware automatically affect/infect all other spreadsheets within reach?
How many major corps allow attachments?
Once it's in it doesn't matter. You also neglect intentional infections by employees either laid-off but still connected, or about to be laid-off.
Security - it's not just for breakfast anymore ;)
"Once it's in it doesn't matter. "
The article states that it spreads by attachments in email. It's a matter of simplicity to screen for this in an enterprise system. Anyone even barely competent in network security can do this.
And it's true- there isn't much point in attaching documents in email anymore with files existing on file servers or cloud services these days. I cannot honestly recall the last time I saw a file attachment in email. Several years, perhaps?
"Once it's in it doesn't matter. "
The article states that it spreads by attachments in email. It's a matter of simplicity to screen for this in an enterprise system. Anyone even barely competent in network security can do this.
And it's true- there isn't much point in attaching documents in email anymore with files existing on file servers or cloud services these days. I cannot honestly recall the last time I saw a file attachment in email. Several years, perhaps?
After all, Conficker relies on (mainly) USB sticks and exploits a hole that was supposed to be patched back in October. Yet for some odd reason it still claims large numbers of new victims every day (at least enough to keep itself in the news...)
- by Breezy1601 February 24, 2009 1:33 PM PST
- IMO, ActiveX should be killed in an update. It's a POS and major security risk.
- Like this Reply to this comment
-
-
- by Penguinisto February 24, 2009 1:54 PM PST
- ...it would be the last update you ever got from MSFT (Windows Update used ActiveX).
- Like this
-
(13 Comments)/P