According to Microsoft?s Security Response Center, malformed Excel spreadsheets are being used in targeted attacks to trigger a previously unknown vulnerability in the Microsoft Excel product line. While Excel appears to be the only Office product under attack at this point, Microsoft?s security advisory stated, ?Other Office applications are potentially vulnerable.? Secunia, a software security vendor, stated on its web site that the latest Microsoft zero-day exploit affects the following applications:
? Microsoft Excel 2000
? Microsoft Excel 2002
? Microsoft Excel 2003
? Microsoft Office 2000
? Microsoft Office 2003 Professional Edition
? Microsoft Office 2003 Small Business Edition
? Microsoft Office 2003 Standard Edition
? Microsoft Office 2003 Student and Teacher Edition
? Microsoft Office 2004 for Mac
? Microsoft Office XP
The next batch of Microsoft security patches is due on February 13, 2007 during the software company?s monthly ?Patch Tuesday? security update. Microsoft has not announced whether this Excel and Office vulnerability would be included in the February 13th update.
If recent history is any guide it is unlikely that Microsoft will be able to issue a patch for this flaw before the February 13th update. According to eEye Digital Security, a software security vendor, there are currently five outstanding Microsoft Office zero-day exploits, an exploit that has not been listed in antivirus dictionaries or patched by the software vendor, that have yet to be patched by Microsoft (source). Four of these exploits target Microsoft Word and although three of the exploits were released in early December 2006, Microsoft has yet to provide a patch for the underlying vulnerabilities in its Word product line.
The upsurge in Microsoft zero-day exploits should come as no surprise. Zero-day exploits provide cyber criminals the greatest opportunity to infect and remotely control a large number of computers. Cyber criminals can use these infected computers to make money by sending spam, carrying out denial of service attacks (DoS), executing click-fraud, installing spyware, stealing identities, and carrying out other criminal activities . As a result, a premium is placed on these zero-day exploits because they offer cyber criminals the most efficient route to profit .
Unfortunately, successful execution of this latest Excel zero-day exploit will allow an attacker to remotely infect and ultimately control a compromised computer. To execute this exploit an attacker must entice a user to open an infected excel document. These infected documents are typically delivered via email or via download from a web site. As a result, TRC recommends that clients not open Microsoft Word attachments from unknown senders and also avoid downloading documents from un-trusted sources. Moreover, clients should carefully monitor their network traffic for unusual activity in the form of connections to and from unusual web sites. This type of traffic may indicate an infection within the network.