Hackers Pounce on Excel Vulnerability

Hackers have launched a new attack that uses a previously undiscovered flaw in Microsoft Excel to target business executives and government agencies.

The zero-day attack could be used for “spearphishing” — phishing targeted at a select pool of victims, according to antivirus vendor Symantec, which discovered the threat.

“This is a crafted message going after selected people, and there’s a very high likelihood that it will be successful,” Vincent Weafer, vice president at Symantec (NASDAQ: SYMC) Security Response, told InternetNews.com. “If you’re a senior executive and get an e-mail saying, ‘Here are the budget figures from our last meeting,’ you’re definitely going to open up the file.”

The attackers send potential victims an e-mail with a Microsoft (NASDAQ: MSFT) Excel attachment that, when opened, downloads a Trojan — identified by Symantec as Trojan.Mdropper.AC — onto the recipient’s computer. At the same time, the Excel file contains malware that lets attackers run unauthorized code on the user’s computer.

It’s the second time this week that researchers have detected attacks that piggyback malicious code on an Office document. In an earlier attack on the IE7 browser, hackers e-mailed victims a Microsoft Word document containing an embedded ActiveX control.

The method itself is quite old, however. “Two years ago, we saw a sequence of targeted attacks using Office documents,” Symantec’s Weafer said.

Infected Excel file

In the newest case, an infected Excel document crashes the application briefly once it’s opened. The Trojan then infects a user’s machine, which a hacker could then use to download other pieces of code, Weafer said.

“At the end of the day, what you get attacked with depends on what the attacker chooses to download on your machine,” he said.

The Trojan works on computers running Microsoft Windows Vista and XP and affects Excel 2007 files using the older .xls format, Weafer said. It does not involve Excel files saved in the newer Excel .xlsx format.

The attack takes advantage of an exploit researchers term the “Microsoft Excel Unspecified Remote Code Execution Vulnerability,” according to Symantec. Symantec said it has released an update for its antivirus software to counter the virus.

In Security Advisory 968272, released today, Microsoft said hackers using the attack could gain the same user rights as local users, including those with administrative rights — which poses posed a greater risk to their systems.

To combat the threat, Microsoft advised users to avoid clicking on e-mail attachments and Web site links.

Locking down a vulnerability

A spokesperson from Microsoft said the company is investigating the security vulnerability that made the attack possible. In its security advisory, Microsoft said it is working with security partners through efforts like Microsoft Active Protection Program (MAPP).

MAPP is a program under which security vendors get information on detected vulnerabilities ahead of Patch Tuesday, Microsoft’s monthly security update. This lets them update their security packages ahead of time — and before such vulnerabilities are disclosed to the public, which could attract new would-be attackers.

Once the investigation into the Excel flaw is completed, Microsoft said it would take the appropriate action depending on customer requirements. This could include an update in a future Service Pack, an update as part of Patch Tuesday or an out-of-band security update, it said.

In the meantime, the Microsoft spokesperson said U.S. and Canadian customers could call 1-866-PCSAFETY for support, while international customers can turn to their local Microsoft subsidiaries. Support calls for security updates are free, the spokesperson added.

News Around the Web