Olympic trojan beats Microsoft to Excel patch

Microsoft's decision to hold back an Excel patch from last month's Patch Tuesday may have left millions exposed as attackers target the un-patched flaw.

Microsoft's decision to hold back an Excel patch from last month's Patch Tuesday may have left millions exposed as attackers target the un-patched flaw.

The US Computer Emergency Readiness Team (US-CERT) has issued a warning that Excel file attachments are being used to spread a trojan which allows a hacker to gain user rights to a PC.

The trojan is packed inside an Excel attachment and exploits a flaw discovered in multiple versions of Excel in January.

The attachments, which arrive either as OLYMPIC.XLS or SCHEDULE.XLS are capable of dropping and executing Windows binary executables, according to researchers at Trend Micro.

For the attack to work the user must open the Excel file, according to an advisory on the flaw issued by Microsoft when it was first discovered.

The vulnerability was found over a month ago and labelled "extremely critical" by security advisory service Secunia.

Microsoft Office Excel 2003 with Service Pack 2; Excel Viewer 2003; Excel 2002; Excel 2000; and Microsoft Excel 2004 for the Mac are affected by the security vulnerabilities, according to the original Microsoft advisory.

The exploit launches a non-malicious file in order to maintain the deception, the file is an Olympic timetable and allows malware writers to customise the exploit to perform other routines, according to researchers at Trend Micro.

Although Microsoft intended to immediately release a patch for the flaw following the discovery, it delayed its release to the general public in order to ensure it didn't negatively impact other software, the company told ZDNet.com's Larry Dignan.

At the time, Microsoft reported the flaw had only been exploited in the form of targeted attacks. Since it had not been "publicly disclosed broadly", it assessed the risk to be limited.

Although the decision to delay the patch may have exposed organisations to further threats, McAfee AvertLabs senior security researcher Nishad Herath said he understands why Microsoft has delayed the patch.

"If they are actually fixing a piece of code that affects the greater Office suite, in that case, I understand why they would want to perform extra regression testing on the actual patch itself or deploy it in a limited fashion and then scale it accordingly," he told ZDNet.com.au.