Zero-day #5: Beware of (unexpected) Excel files

Zero-day #5: Beware of (unexpected) Excel files

Summary: Microsoft late Friday warned users to be on the lookout for Excel files that arrive unexpectedly -- even if they come from a co-worker's e-mail address.In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite.

SHARE:
TOPICS: Microsoft
11

Microsoft late Friday warned users to be on the lookout for Excel files that arrive unexpectedly -- even if they come from a co-worker's e-mail address.

In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite.  Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk.

Confirmed vulnerable: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Microsoft Office 2004 v. X for Mac.

The vulnerability cannot be exploited on Office 2007 or on Works 2004, 2005, or 2006.

This is the fourth known zero-day attack against the ever-present Microsoft Office suite since early December 2006.  The three previous attacks, all aimed directly at specific targets, used rigged Microsoft Word .doc files.

Anti-virus vendor McAfee has issued an alert explaining the attack characteristics, which require than a specially crafted .xls file is opened: 

* Unpack the XOR-encrypted shellcode in memory

* Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash.   

* Create a new fiile in %Temp% op10.exe using API calls - GetTempPathA, and CreateFileA

* Seeks the opened file handle of the XLS file in memory using API call GetFileSize to match a specific filesize.

* Extract the payload from the XLS file and write it into %Temp% op10.exe

* Execute %Temp% op10.exe

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Hard to keep track of all the exploits

    I don't know how Windows users manage to keep track of all the potential exploits. Firewalls, virus scanners...you spend a small fortune in time and treasure keeping other people out of your computer and off your network. And then there's still stuff going around. Just seems insane to me. I know it's not worth it but you just can't, or won't, try something different. Even if you finally get fed up enough to try Linux you get huffy and snuffy if it's not exactly like Windows. ROFL! You can't have it both ways.

    Get off MSFT, you'll be so glad you did. It's worth the little bit of time and effort it takes whether you're switching to Apple or Linux. It will be an adjustment either way. But that adjustment is far less difficult than staying on the internet with Windows.
    Chad_z
    • Windows users?

      Try reading the article. Mac is just as vulnerable, just like Windows was "vulnerable" when Apple QT exploits came out a few weeks back.

      Actually, it appears that only Windows users are safe, those that have the latest version of Office.

      Take the religion to another forum.
      KTLA
  • Microsoft warn users not to use the product they've paid for

    How can you "unexpectedly" get a spreadsheet off a work colleague?? Has it really come to this- "Don't use your Microsoft platform for sending information to one of your fellow team members, you might compromise the company's IT infrastructure". One degree of separation?? Fred in acconts has to phone Mary on the London office to tell her she can expect a spreadsheet??? And Windows users have PAID for this 'email' ???

    I suppose it's all the stupid users fault, EVERYBODY knows you can't open attachments when you're using Windows. If you want to be able to safely send a cost estimate to Joe, the new guy in Accounts, you'd better get yourself a different OS - one that works.
    whisperycat
    • <sigh>

      "Confirmed vulnerable: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Microsoft Office 2004 v. X for Mac."

      This is an *APP* vulnerability, not an OS vulnerability, just like Apple's QT bug (and others) last month.
      KTLA
      • Yes...it's a problem with the...

        application software. Which is a problem because the OS is willing to do whatever it's told to by anyone without regard as to who that person is.

        Don't run Excel under Windows. How does one do that? Use wine?

        Got Vista? Go to a site and have it whisper sweet nothings in an audio file.

        Got any Microsoft product other than Vista without the proper patch(s)? Go to the superbowl site, or CDC, and get infected.

        Red Herrings? Start talking about Apple or Linux.

        So, nothing is ever Microsoft's fault. Got the message straight from Redmond. Getting tired of this shit.
        Cardinal_Bill
        • Funny thing is...

          Even if it's strictly an application issue, Microsoft also wrote the application. Let's see...they wrote the OS, they wrote the application...who is responsible here?
          jasonp@...
          • The user is responsible

            Yes Microsoft provides the software at each level which may or may not have software flaws. This is a known factor, it?s there and the problem isn?t going away anytime soon.

            But ultimately the USERS are responsible for opening an attachment that they didn?t expect to get from someone.

            I hammer it into the user?s head over and over that just because it SAYS it?s from someone doesn?t mean it was sent by them.

            The USERS need to be educated not to do things they shouldn?t do.
            Old IT Guy
        • ABMers are desperate

          "Got Vista? Go to a site and have it whisper sweet nothings in an audio file."

          Is this the best you can come up with for a flaw in Vista? Microsoft must have done a pretty good job with it if this pathetic "example" of an exploit is all you can provide. They've got the ABMers worried.
          ye
          • I think the cracking of Vista DRM counts ...

            ... becaue Vista is all about DRM, not the OS X wannabe interface

            http://it.slashdot.org/it/07/01/29/1811201.shtml

            "Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called 'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system.
            whisperycat
  • NT Will Restricted User Mode Work?

    Just curious if the "launch kernel32.dll" part will still work in restricted user mode.
    Rick.Harris
  • XLS zero day vulnerability

    I'm Sorry but this 'Warning" is like telling us to hid under a desk during a Nuclear attack. There is no Real solution to the attack, just hid under your desk and wait for the end!
    Should we switch to some "open source" app?
    Jaytmoon