Excel Exploited

excelWe sent out an alert yesterday, in conjunction with Microsoft, warning of a vulnerability in Excel.  We have also seen some limited exploits of this vulnerability in the wild.  On opening a malicious spreadsheet file, this triggers the vulnerability. This in turn, causes shellcode to execute and then drops two files on the system—the first being the malicious binary, and another file being a valid Excel document, which is used to try and mask what is actually happening in the background as the malicious code is run. Our testing shows that the exploit has been created for, and works with Excel 2007, but only with .xls files and not  with .xlsx files.  We have added detection for the malicious spreadsheet files that we have detected.

The exact motivation of the threat and it’s use, are still unclear. The ability to drop files onto a remote system and then execute them is worrisome.  The discovery of this vulnerability, using infected spreadsheets, is a hark back to the past. There was an era when many viruses were embedded within macros in word processing and spreadsheet files. I am not predicting a return to the exploitation of these applications in this way, however, it shows the predilection of the malware authors to revisit old favourites. Talking of which. In the CNET coverage of this vulnerability, they mention that the US Defense Department has temporarily banned the use of USB thumb drives. We have been warning for some time, that the malware gang, would look to exploit these devices in a throw-back to the days of infections passed around on floppy-disks. Plus ca change!

February 25, 2009 | Filed Under Security 

comments

Leave a Reply