Zero-day #5: Beware of (unexpected) Excel files

Summary:Microsoft late Friday warned users to be on the lookout for Excel files that arrive unexpectedly -- even if they come from a co-worker's e-mail address.In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite.

Microsoft late Friday warned users to be on the lookout for Excel files that arrive unexpectedly -- even if they come from a co-worker's e-mail address.

In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite.  Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk.

Confirmed vulnerable: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Microsoft Office 2004 v. X for Mac.

The vulnerability cannot be exploited on Office 2007 or on Works 2004, 2005, or 2006.

This is the fourth known zero-day attack against the ever-present Microsoft Office suite since early December 2006.  The three previous attacks, all aimed directly at specific targets, used rigged Microsoft Word .doc files.

Anti-virus vendor McAfee has issued an alert explaining the attack characteristics, which require than a specially crafted .xls file is opened: 

* Unpack the XOR-encrypted shellcode in memory

* Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash.   

* Create a new fiile in %Temp% op10.exe using API calls - GetTempPathA, and CreateFileA

* Seeks the opened file handle of the XLS file in memory using API call GetFileSize to match a specific filesize.

* Extract the payload from the XLS file and write it into %Temp% op10.exe

* Execute %Temp% op10.exe

Topics: Microsoft

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.