Microsoft Warns Of Critical Excel Flaw
Security experts say that the flaw, occurring in Microsoft Office Excel 2007 and earlier, exists in the old Excel binary .xls format. The attack is triggered when the user opens the malicious spreadsheet, causing two files to be dropped on the system -- the malicious binary as well as another valid Excel document. The shell code then executes the dropped files and opens the valid Excel document to mask the fact that Excel has just crashed or become infected with the malware.
Upon opening an infected Excel file, users unknowingly execute a Trojan horse downloader onto their computers that can be used to stealthily record keystrokes and steal private and financial data.
"[The attack] displays the valid document and looks as if it's opening, so you may not notice you now have a new downloader on your machine that steals information," said Vincent Weafer, vice president of Symantec Security Response.
While the attack is loose in the wild, security experts say that attacks so far are few in number, appearing to be used in targeted and deliberate spearphishing attempts. Weafer said that the Excel attack is indicative of attack trends that exploit vulnerabilities in shared applications in order to go after specific individuals, usually C-level executives and government officials.
"It shows that attackers are again looking at these common applications as a means of getting onto the system," Weafer said. "Typically if [the malware] is crafted, it tends to be very selective. Those industry segments, [such as] high-end enterprises, it's critical for them."
Microsoft said in its advisory that it is actively working with its partners to address the issue. Actions to remediate the vulnerability could include providing a solution through a service pack or the monthly security update release. For critical vulnerabilities, action may include releasing an emergency out-of-band patch.
Until a patch can be developed, however, security experts say that users should make sure that common applications are repaired with the latest patch, and make sure that firewalls and antivirus are up to date.
"Today we see [attacks] in browsers. We also see them in common applications. The attackers are looking for anything that's common on the desktop," Weafer said. "The message here is, make sure you're paying attention to your patch updates for all of your applications on your desktop."