Microsoft Excel users should avoid opening or saving any file attachments sent via e-mail if the message is not from a trusted source or arrives unexpectedly, the company said following public reports of zero day attacks exploiting a flaw in the spreadsheet program.
Security firm Secunia ranks the vulnerability as extremely critical because it can allow a hacker to remotely gain access to a user’s computer system. To launch an attack, a user must first open a malicious Office file sent by e-mail or otherwise provided via the Internet.
At risk are users of Microsoft Office 2000, all versions of Microsoft Office 2003, Microsoft Office XP and Microsoft Office 2004 for Mac. At press time, Microsoft did not say whether or not other Office applications are also vulnerable to attack.
By E-Mail or By Web
According to Secunia, the problem is caused by an unspecified error in the way Excel handles strings, contiguous sequences of letters, numbers, symbols and punctuation marks. This can be used by an attacker to cause a memory corruption and allow the execution of arbitrary code.
To exploit the vulnerability via e-mail, attackers send out a specially-crafted malicious file as an e-mail attachment to users. Once the file containing the malformed string has been opened, it may corrupt the system’s memory, allowing an arbitrary execution of code by the attacker, Microsoft said.
In a Web-based attack, users would have to go to a specially-designed site hosted by the attacker that contains an Office file that would be used to exploit the vulnerability. A compromised Web site, as well as sites that accept or host user-generated content, could also contain custom-made content capable of exploiting the vulnerability.
Attackers, however, will attempt to trick users into clicking through to a specific Web site containing the malicious code.
Computers At Risk
The flaw is extremely critical. “Hackers have been seen sending malicious Excel spreadsheets in targeted attacks against individuals and companies in an attempt to compromise their systems,” , Graham Cluley, senior technology consultant at Sophos, told TechNewsWorld.
Adding to the danger is that the vulnerability exists in both the Windows- and Mac-based versions of Excel. “It’s not unusual for flaws to be found in Mac versions of Microsoft products, as the company tries as much as possible to use the same source code base,” he explained. “Unfortunately, although that can mean both Macs and Windows share similar functionality in Microsoft Office programs, they can also share flaws.”
As always, people should show extreme caution when opening unsolicited attachments, Graham said. “If you weren’t expecting it, or don’t have a good reason for opening it, then ask yourself if it wouldn’t be wiser to chuck it in the recycling bin,” he advised.
It is technically possible that Microsoft could issue a fix next week as part of its regularly scheduled “Patch Tuesday,” which occurs the second Tuesday of every month, Graham said.
“However, depending on the precise details of the problem, they may find themselves hard pushed to issue a fix within such a tight deadline.”
According to Microsoft, the vulnerability is currently under investigation and no patch has been released, but the company said that it has added detection to its Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit the vulnerability.
The new year has not been good to the software giant. Overall the widespread reports of this and other flaws in Microsoft software are bad news for the company, which is trying to present itself as a credible player in the security market, Graham said.
“It seems Microsoft will continue to face a considerable challenge in 2007, trying to turn round the perception amongst some system administrators that security is not in their blood,” Graham concluded.