Zero Day Vulnerability Discovered In MS Excel
The attack is launched when a user opens an infected Excel attachment in an e-mail or a document posted on a website, and doesn't require any user interaction beyond opening the infected document, according to Oliver Friedrichs, director of emerging technologies in Symantec's Security Response division.
When activated, Trojan.Mdropper.J drops a downloader application called Downloader.Booli.A on the user's PC, which in turn attempts to download a file from a website in Hong Kong. This final stage fails because the website is no longer online, said Friedrichs.
According to the SANS Internet Storm Center, when Downloader.Booli.A is executed, it attempts to run Internet Explorer and injects its code in an attempt to circumvent firewalls, tries to download the file from the website, and if the download is successful, saves the file as " c:\temp.exe" and then creates an empty file called " c:\bool.ini" before exiting.
Although the flaw is actively being leveraged by attackers to compromise systems, Friedrichs says Symantec has only seen it being exploited in isolated cases. "It is by no means a widespread exploit," he noted. However, users will still have the Trojan code sitting on their system, he added.
Symantec classified the threat level as a category 1, the lowest on its 5 level scale. But Friedrichs believes these types of threats are concerning because zero day vulnerabilities are a fast growing trend.
"One thing we are seeing is an entire economy being built around the sale and purchase of vulnerability information, driven by the fact that more attacks are financially motivated," Friedrichs said.
Microsoft has activated its security response process and added detection for to Windows Live Safety Center for allow for removal of malicious software that attempts to exploit the Excel vulnerability, according to a post on Microsoft's Security Response Center Blog.