Vulnerability Turns MS Excel Into Open Door for Hackers

Hackers are targeting users of some older versions of Microsoft (Nasdaq: MSFT) Excel with a zero-day exploit that could compromise their data, according to a security advisory Microsoft issued Tuesday.

The vulnerability is in Microsoft Office Excel 2003 Service Pack 2, along with Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for Mac, Microsoft said. If successfully exploited on a vulnerable computer, it could enable remote code execution, the company added.

Microsoft is now investigating public reports and the extent of the vulnerability's impact on customers. Once that's done, it may provide a security update through its monthly release process or as an out-of-cycle release, it said.

"While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA (Microsoft Security Response Alliance) partners to help protect customers," wrote Microsoft's Security Response Center on the group's blog. "We will update the advisory and this blog as new information becomes available."

Specially Crafted Files

So far, it appears users of Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac and Microsoft Office Excel 2003 Service Pack 3 are not impacted, Microsoft noted, nor are those using Microsoft Office Excel 2003 Service Pack 2 with the Microsoft Office Isolated Conversion Environment deployed.

The vulnerability also cannot be exploited automatically through e-mail , it said. Rather, a user would have to open an e-mail attachment. Using the Web, an attacker would have to host a Web site that contains a specially crafted Excel file used to exploit the vulnerability, and then persuade users to visit that site via a link or instant message.

Successful exploits would give the attacker the same user rights as the local user has. For that reason, users with administrative rights could be more affected than those with more limited privileges, Microsoft said.

Users of the Office Document Open Confirmation Tool for Office 2000 will be prompted to Open, Save, or Cancel before opening a document that is attempting to exploit the vulnerability, the company noted.

Customers who believe that they have been attacked can get support here and should contact the national law enforcement agency in their country, Microsoft said.

Less-Common Target

"It's unusual to see this kind of zero-day exploit done through Excel," David Marcus, security research and communications manager for McAfee Avert Labs, told TechNewsWorld.

Indeed, within the Microsoft Office world, a full 54 percent of zero-day exploits target Word, Marcus noted. Only 23 percent target Excel, while 15 percent focus on PowerPoint and the remainder target Office in general, he said.

The last such exploit to target Microsoft Excel was more than 18 months ago, he added.

There doesn't, however, appear to have been widespread exploitation of this vulnerability so far, Marcus noted. "Zero-day exploits are typically done in very targeted fashion," he said. "Often there's a specific person or business targeted."

Meanwhile, Microsoft will be "quick to take action," he said, "and then it will be over and done with -- until the next one happens."

'Tried and True Methods'

Microsoft Office 2003 is still one of the most prevalently deployed versions of Office, Tom Bowers, senior security evangelist for Kaspersky Lab, told TechNewsWorld.

Nevertheless, "I don't think this will be very widespread because it's a very specific vulnerability," he said. "There will be a very narrow scope of people affected."

Back in the 90s, viruses were often aimed at getting notoriety for their creators, Bowers noted. Today, on the other hand, "this is about taking control of end users' computers for botnets," he explained.

"We're not seeing a lot of really new, innovative malware out there," Bowers concluded. "Basically the people doing this are using tried and true methods."