[ISN] Microsoft Posts Excel 'Zero-Day' Flaw Workarounds

InfoSec News isn at c4i.org
Tue Jun 20 02:17:54 EDT 2006


By Ryan Naraine 
June 19, 2006 

Microsoft's security response center is recommending that businesses
consider blocking Excel spreadsheet attachments at the network
perimeter to help thwart targeted attacks that exploit an unpatched
software vulnerability.

The Redmond, Wash., software giant published a pre-patch advisory on
June 19 with a list of workarounds that include blocking Excel
file-types at the e-mail gateway.

File extensions associated with the widely deployed Microsoft Excel
program are: xls, xlt, xla, xlm, xlc, xlw, uxdc, csv, iqy, dqy, rqy,
oqy, xll, xlb, slk, dif, xlk, xld, xlshtml, xlthtml and xlv.

The company's guidance comes just a few days after public confirmation
that a new, undocumented Excel flaw was being used in an attack
against an unidentified business target.

The attack resembles a similar exploit that targeted Microsoft Word
users, prompting suspicion among security researchers that the attacks
may be linked.

The Excel attack includes the use of Trojan horse program called
Trojan.Mdropper.J that arrives as an Excel spreadsheet with the file
name "okN.xls."

When the Trojan is executed, it exploits the Excel flaw to drop and
execute a second piece of malware called Downloader.Booli.A. It then
silently closes Microsoft Excel.

Downloader.Booli.A attempts to run Internet Explorer and inject its
code into the browser to bypass firewalls. It then connects to a
remote Web site hosted in Hong Kong to download another unknown file.

In the latest advisory, Microsoft confirmed that the vulnerability
exists in Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000,
Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac.

Excel 2000 users are at highest risk because the program does not
prompt the user to Open, Save, or Cancel before opening a document.  
Other versions of the software present a warning before a file is
opened, Microsoft said.

The company insists that a user must first open a malicious Excel file
attached to an e-mail or otherwise provided to them by an attacker to
be at risk.

The flaw is described as "improper memory validation" in Excel that
occurs only when the program goes into repair mode.

Microsoft also recommends that businesses using Excel 2003 prevent
Excel Repair mode by modifying the ACL (Access Control List) in the
Excel Resiliency registry key.

Detailed instructions can be found in the advisory.

Microsoft said businesses should also consider blocking the ability to
open Excel documents from Outlook as attachments, Web sites and the
file system directly.

This can be done by removing the registry keys that associate the
Excel documents with the Excel application.

As best practice, the company said Excel users should remember to be
very careful opening unsolicited attachments from both known and
unknown sources.

More information about the ISN mailing list