Security Vendors Spot Second Excel Bug

Last Thursday Microsoft acknowledged that a critical flaw in Excel was being used by attackers who had targeted a single company, the second such admission in a month. In May, a bug in Microsoft Word was used in similar fashion by hackers who targeted a small number of victims. A week ago, Microsoft patched the Word flaw.

Monday, the Redmond, Wash. developer issued a security advisory that promised a patch for the first Excel vulnerability and spelled out several steps enterprises and individuals could take to protect their systems until a fix was released.

In the advisory, Microsoft noted that Excel 2000, 2002, and 2003 for Windows (as well as the for-free Excel Viewer 2003 utility), and Excel v. X and 2004 for the Mac were at risk. The company also recommended several different defensive strategies, ranging from blocking all Excel-related file types at the gateway to deleting 40 keys from the Windows Registry to block Excel documents from opening directly within the application.

Tuesday, however, security companies reported that proof-of-concept exploit code had gone public for yet another Excel bug, this time one in a DLL that handles hyperlinks in Excel worksheets.

id
unit-1659132512259
type
Sponsored post

"The vulnerability occurs when a user follows a long URL link contained in an Excel spreadsheet," wrote Symantec in a Tuesday alert to customers of its DeepSight Threat Management System. "Since the proof of concept does not include a payload, it will cause Excel to crash.

"This issue is not believed to be associated with the other recently discovered flaw in Excel, since the two vulnerabilities appear to be quite different," Symantec added.

The rapid appearance of multiple vulnerabilities in Microsoft Office applications -- and just as importantly, their use in attacks focused on a small number of companies -- isn't a surprise to security analysts, who have been remarking on the trend toward such "targeted" attacks for months.

"We are starting to see more targeted attacks," said Vincent Weafer, the senior director of Symantec's security response team. "And the exploitation of Office [applications] is also increasing."

Hackers engaged in targeted attacks -- which are motivated by profit and sometimes involves the sale of commercial secrets culled from the attack -- usually want to stay out of the public eye, but are willing to take the risk that Microsoft (and others) will sound the alarm over a Word or Excel flaw being exploited.

"If they can use the same exploit in two or more instances, all the better," said Weafer. "But they also want to get to something they know is in the victim's environment." Such as Office, which has the lion's share of the business application market.

Others see the increase in Office vulnerabilities and follow-on exploits as additional confirmation for another trend: that client-side exploits are not only the attack category de Jour, but the future of malware.

"Several years ago, nobody cared too much about exploitable bugs in client-side applications because remote bugs were still readily available," said Kyle Haugsness, an analyst with SANS Institute's Internet Storm Center, in an online research note. "I am honestly expecting to see a healthy stream of client vulnerabilities in Office applications over the next 2-3 years."

Symantec's Weafer conceded that the Word and Excel bugs were serious, but dismissed any danger to Office users as a group. "I don't think you need to be concerned about a targeted attack tomorrow. They're increasing, yes, but they're just a drop in the ocean compared to the number of malicious programs launched every day.

"Most [users] will never see an attack on Word or Excel."