Zero-day #5: Beware of (unexpected) Excel files

Microsoft late Friday warned users to be on the lookout for Excel files that arrive unexpectedly -- even if they come from a co-worker's e-mail address.

In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite.  Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk.

Confirmed vulnerable: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Microsoft Office 2004 v. X for Mac.

The vulnerability cannot be exploited on Office 2007 or on Works 2004, 2005, or 2006.

This is the fourth known zero-day attack against the ever-present Microsoft Office suite since early December 2006.  The three previous attacks, all aimed directly at specific targets, used rigged Microsoft Word .doc files.

Anti-virus vendor McAfee has issued an alert explaining the attack characteristics, which require than a specially crafted .xls file is opened: 

* Unpack the XOR-encrypted shellcode in memory

* Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash.   

* Create a new fiile in %Temp% op10.exe using API calls - GetTempPathA, and CreateFileA

* Seeks the opened file handle of the XLS file in memory using API call GetFileSize to match a specific filesize.

* Extract the payload from the XLS file and write it into %Temp% op10.exe

* Execute %Temp% op10.exe