Microsoft Excel zero-day flaw discovered
Thirteen security updates and a cornucopia of exploit code was already a lot for
Microsoft customers to digest in one week. Now the software giant is warning of a new zero-day flaw in Excel that attackers could exploit to launch malicious code.
Microsoft Security Response Center Program Manager Mike Reavey said in the center's blog that one customer has reportedly been affected by an attack using a new vulnerability in the spreadsheet program.
"Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," he said. "So remember to be very careful opening unsolicited attachments from both known and unknown sources."
He said the Windows Live Safety Center has been updated to detect the flaw "for up-to-date removal of malicious software that attempts to exploit the vulnerability."
Danish vulnerability clearinghouse Secunia issued an advisory labeling the flaw "extremely critical." That's the firm's highest severity rating and is typically reserved for remotely exploitable vulnerabilities that can lead to system compromise.
"This vulnerability is a so-called zero-day and is already being actively exploited," Secunia said, adding that the flaw is caused due to an unknown error within the processing of specially crafted Excel documents. Secunia confirmed the security hole on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected, Secunia warned.
The Bethesda, Md.-based SANS Internet Storm Center (ISC) is recommending users mitigate the Excel threat by heeding the same advice it offered last month, when Microsoft Word was hit by zero-day exploits. At the time, ISC recommended users observe at least some of the following defenses:
User education is key, but likely insufficient. Attacks like that will use very plausible messages. Create some examples to re-emphasize this fact. "What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document. Do not open the document before calling the customer."
Do not trust antivirus alone. Defending against zero-day is all about defense in depth. Antivirus is likely going to fail to stop exploits like this. Consider a system that quarantines attachments for at least 6-12 hours to allow antivirus signatures to catch up.
Limit users' privileges. It will be much easier to clean up after an exploit like this if an affected user had no administrator rights.
Monitor outbound traffic. IDS and firewalls are as valuable to protect networks from malicious traffic entering as they are in protecting against corporate secrets leaving the network. Consider deploying "honey tokens," files with interesting names that contain a particular signature the IDS will detect.
Block outbound traffic. Try to limit sites accessible to users and use techniques like proxy servers to isolate clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.
Limit data on desktops. Try to teach users to limit data they store "in reach." This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot as in this case. Locally encrypted files will work too, as long as they stay encrypted until used. Encrypted file systems will not help, as they will be accessible to the user opening the word document.
"These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds" for the Excel flaw, the center said.