Microsoft Warns Of Excel Hack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management

Microsoft Warns Of Excel Hack

The zero-day vulnerability's danger could extend beyond malicious Excel files.

Yet another unpatched bug in Microsoft's widely used Office application suite is being used by hackers to hijack computers, the company's security team has warned.

Late Friday, Microsoft's Security Response Center (MSRC) confirmed that malformed Excel spreadsheets are being used to trigger an unspecified vulnerability in Office 2000, Office XP, Office 2003, and Office 2004 for Mac.

"We are aware of very limited, targeted attacks attempting to use the vulnerability reported," said Alexandra Huft, a security program manager with MSRC, on the group's blog. The company "will provide updates through the MSRC weblog or the advisory as new information develops."

In an associated security advisory, Microsoft said the zero-day vulnerability's danger could extend beyond malicious Excel files, however. "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," the advisory read. A patch is under development, Microsoft added.

"It's still too new to know whether this might actually impact other applications in Office," says Ken Dunham, director of VeriSign iDefense's rapid response team. "Part of the confusion in attacks like this is that the payload has to be examined to see if the vulnerability is the same [as an earlier one] or different, then the vulnerable component must be found. It's a somewhat lengthy process."

The Excel flaw is the fifth unpatched bug in Microsoft Office that's been confirmed since early December 2006. The four others -- three in December, one in January 2007 -- lurked in various versions of Microsoft Word. The run is similar to a multi-month run of Office vulnerabilities in mid-2006.

"Once hackers have [hold of] a file format with vulnerabilities, they focus on it," says Dunham in explaining why it's often the case that one bug leads to a second, a second to a third, and so on. "The same thing happened last year when they found a bug in the WMF [Windows Metafile] format. They started wondering what other image file formats had vulnerabilities."

Hackers, in fact, will systematically test a file format with "fuzzers," software tools that stress test applications with random input to look for crash conditions. VeriSign's iDefense researchers have spotted online test results of the Chinese hacking crews which launched targeted attacks in 2006 using malicious Office documents, Dunham said.

"When they find one hacker Easter egg [vulnerability], they naturally try to find more," says Dunham.

Users can protect themselves by not opening Office documents attached to e-mail messages or offered as downloads by Web sites, said Microsoft. Office 2007, the newest version of the Windows productivity suite, also is immune to the exploit.

The next regularly scheduled security updates from Microsoft will be issued Tuesday, Feb. 13. Microsoft hasn't said whether some, or all, of the unfixed Office flaws will be patched then.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll