New Excel vulnerability discovered – the risk is low, so don’t panic (UPDATE)
by Steve Ragan - Feb 24 2009, 18:45Update:
Microsoft has weighed in with some new information. They have posted Microsoft Security Advisory 968272 in response to the issue.
The new information is the scope of the vulnerability. “Products affected are Microsoft Office 2000, Microsoft Office 2002, Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac,” Microsoft said.
They also point out that they are, “aware only of limited and targeted attacks that attempt to use this vulnerability.” In addition, they are developing a patch for the problem.
In the meantime, one of the mitigations Microsoft offers is the use of the Microsoft Office Isolated Conversion Environment (MOICE). This will offer extra security when opening Office binary file formats. More information on MOICE is here. (Note: MOICE is for Office 2003 and 2007 only.)
To use MOICE on Office 2003 you will need the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. You can get that here.
So while there are more details, there is still no need to panic in the streets. If you are fully patched, running current anti-Virus protections, and use a bit of common sense when dealing with Excel files, there should be no issues.
Original article below:
Symantec is warning of a new vulnerability in Microsoft Excel 2007, which is being exploited in the wild. However, according to Symantec themselves, while this is a new attack on the Office application, the risk is low.
All of the news that is online about this new vulnerability comes from the same source. That source is SecurityFocus, Symantec owned, where in the vulnerabilities section a small snippet of warning was posted.
“Microsoft Excel is prone to an unspecified remote code-execution vulnerability.
Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file. Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will result in a denial-of-service condition. Microsoft Excel 2007 is vulnerable; other versions may also be affected.”
According to the exploit information, “Symantec has detected active in-the-wild exploit attempts. This issue is detected as 'Trojan.Mdropper.AC'.”
So what does this mean to a normal computer user or an IT administrator? Absolutely nothing, because of what Symantec listed on their information index for Trojan.Mdropper.AC.
Starting with information that is more useful to those of you in IT, the vulnerability, and the Malware were discovered on February 23, 2009. As of February 24, there are a total of 0-49 noticed infections, Threat Containment is listed as Easy, Distribution is Low, and Damage Level is Low.
Also, blocking the following list of IP addresses both in and out will help.
61.59.24.55
61.59.24.45
61.221.40.63
Since most IT operations are running Symantec software, you are already protected should a malicious Excel file crop up on the network somehow. The payload from the vulnerability, according to Symantec, is a dropper. So it will download other Malware. Even if Symantec is not the AV of choice for your business, if your signatures and other protections are current you’ll still be protected. This is because more often than not, the additional Malware downloaded is already known and quickly detected.
"Another approach to protecting computers from zero-day exploits like 'Trojan.Mdropper.AC' is to use white-list security software. Although 'Trojan.Mdropper.AC' was discovered on February 23rd, there is no way to know when it first started to spread. By utilizing white-listing tools, computers are stopped from running malware even before the malware is discovered and reported," added Don Leatham, Lumension's Sr. Director of Solutions and Strategy.
Now, everyday computer users, who happen to see an email attachment with an Excel file ,or visit a Web page with an offered Excel download, ignore it. Unless you are expecting an Excel file, there is no need to open random email attachments or accept random Excel downloads.
There is no need to panic because a security company discovered an exploit on popular widely distributed software. Despite what you might read, this is not the end of the world.
As a normal computer user, sensational headlines might make you overly cautious. Caution is a good thing, but blind panic isn’t. As long as you have current anti-Virus protection, all of the released operating system patches from Windows Update, you will be just fine if you just use some basic logic.
(To run Windows Update - click START, then Programs, at the very top click Windows Update. You might see Microsoft Update, either one will work.)
Also, just like in IT, even if Symantec is not your anti-Virus vendor and you use other software, if it is current then you should be fine.
The vulnerability was discovered in Microsoft Excel 2007. Symantec says that earlier versions might be vulnerable as well, but they have no evidence, so they will not make that claim. In addition, Symantec is a member of MAPP (Microsoft Active Protections Program), so it is likely that Microsoft is well aware of the vulnerability recently discovered.
Should this vulnerability move up on the risk scale, either with wide exploitation or discovery of something more malicious than a low-level dropper, the same rules will apply as always. Update systems with the latest patches, update anti-Virus and other security software, and avoid unknown Excel files. If it does get to that point, Microsoft will likely issue another out of cycle update to fix the problem.
If they do that, the catch is that you have to apply it. Patches are useless unless they are installed.
The Tech Herald: IE7 needs more patching - MS09-002 exploits seen in the wild
The Tech Herald: Anti-Virus and other layers of protection (Part 1)
The Tech Herald: Anti-Virus and other layers of protection (Part 2)
Comment on this Story