Microsoft Clamps Down on Excel Zero-Day Attack

Microsoft is taking steps to protect customers from attacks through a zero-day flaw in Microsoft Excel discovered earlier this week.

The company released a new antivirus definition for its system security services Windows Live OneCare and Windows Live OneCare Safety Scanner, and for its Forefront Client Security software for businesses. The update, 1.51.1105.0, targets the exploit that Microsoft (NASDAQ: MSFT) calls Win32/Evenex.gen, according to a blog post by Ziv Mador, a staffer at Microsoft’s (NASDAQ: MSFT) Malware Protection Center.

The update aims to tackle a vulnerability in versions of Excel, which opens the door for an attack through infected Excel files sent as e-mail attachments.

The threat marked the second time this month in which security experts identified a high-profile attack that used malicious code hidden in a Microsoft Office document. An earlier attack on the IE7 browser had hackers e-mailing victims a Microsoft Word document containing an embedded ActiveX control.

In the latest assault, opening the attachment deposits a Trojan onto the recipient’s computer. In addition to the Trojan, which security vendor Symantec (NASDAQ: SYMC) identified as Trojan.Mdropper.AC, the Excel file itself also contains malware that enables attackers to run unauthorized code on victims’ computers.

According to the Microsoft blog, the attack triggers a buffer overrun when Excel parses, or reads, a corrupted file. A buffer overrun, or overflow, occurs when an application tries to store more data than a buffer can hold, and can cause crashes.

“Once the exploit is successful, the attackers are able to run their code, usually used to drop malware on the victim’s computer,” Mador wrote.

In Security Advisory 968272, released the day of the attack, Microsoft said hackers using the exploit could gain the same user rights as local users, including those with administrative rights.

The news also comes as Microsoft is rejiggering its security offerings. In June, Microsoft plans to stop selling Live OneCare, its software as a service (SaaS) suite for consumers. Meanwhile, Forefront Client Security is part of Microsoft’s next generation of security tools, codenamed “Stirling,” that was rolled out in December.

News Around the Web