Home > Security News > Microsoft Excel zero-day flaw discovered
Security News:
EMAIL THIS

Microsoft Excel zero-day flaw discovered

By Bill Brenner, Senior News Writer
16 Jun 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Thirteen security updates and a cornucopia of exploit code was already a lot for Microsoft customers to digest in one week. Now the software giant is warning of a new zero-day flaw in Excel that attackers could exploit to launch malicious code.

Microsoft Security Response Center Program Manager Mike Reavey said in the center's blog that one customer has reportedly been affected by an attack using a new vulnerability in the spreadsheet program.

"Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," he said. "So remember to be very careful opening unsolicited attachments from both known and unknown sources."

He said the Windows Live Safety Center has been updated to detect the flaw "for up-to-date removal of malicious software that attempts to exploit the vulnerability."

Danish vulnerability clearinghouse Secunia issued an advisory labeling the flaw "extremely critical." That's the firm's highest severity rating and is typically reserved for remotely exploitable vulnerabilities that can lead to system compromise.

"This vulnerability is a so-called zero-day and is already being actively exploited," Secunia said, adding that the flaw is caused due to an unknown error within the processing of specially crafted Excel documents. Secunia confirmed the security hole on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected, Secunia warned.

The Bethesda, Md.-based SANS Internet Storm Center (ISC) is recommending users mitigate the Excel threat by heeding the same advice it offered last month, when Microsoft Word was hit by zero-day exploits. At the time, ISC recommended users observe at least some of the following defenses:

  • User education is key, but likely insufficient. Attacks like that will use very plausible messages. Create some examples to re-emphasize this fact. "What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document. Do not open the document before calling the customer."

  • Do not trust antivirus alone. Defending against zero-day is all about defense in depth. Antivirus is likely going to fail to stop exploits like this. Consider a system that quarantines attachments for at least 6-12 hours to allow antivirus signatures to catch up.

  • Limit users' privileges. It will be much easier to clean up after an exploit like this if an affected user had no administrator rights.

  • Monitor outbound traffic. IDS and firewalls are as valuable to protect networks from malicious traffic entering as they are in protecting against corporate secrets leaving the network. Consider deploying "honey tokens," files with interesting names that contain a particular signature the IDS will detect.

  • Block outbound traffic. Try to limit sites accessible to users and use techniques like proxy servers to isolate clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.

  • Limit data on desktops. Try to teach users to limit data they store "in reach." This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot as in this case. Locally encrypted files will work too, as long as they stay encrypted until used. Encrypted file systems will not help, as they will be accessible to the user opening the word document.

    "These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds" for the Excel flaw, the center said.

    Tags: Malware, Viruses, Trojans and SpywareSecuring Productivity ApplicationsSecurity Patch ManagementVIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



    RELATED CONTENT
    Malware, Viruses, Trojans and Spyware
    The world's top 5 riskiest domains
    New Zeus spam poses as Social Security statements
    Increase in Gumblar backdoors poses FTP credential problems
    Hackers to sharpen malware, malicious software in 2010
    iPhone worm Rickrolls jailbroken phones
    Israeli Mossad add Trojan Horse to Syrian laptop
    Schneier-Ranum Face-Off: Is antivirus dead?
    Modern malware, stealthy botnets, adapt quickly, expert says
    Computer worm infections up, scareware antivirus down, Microsoft says
    Web-based attacks skyrocket, pirating sites surge, security firms say

    Securing Productivity Applications
    Software piracy group offers cash to whistleblowers
    How to secure a .pdf file
    How do hackers bypass a code signing procedure to inject malware
    Quiz: How to build secure applications
    How to detect software tampering
    Adobe fixes 29 flaws in Acrobat, Reader
    Adobe warns of critical update for Reader, Acrobat 9.1.3
    Why should we place data files on a separate partition than the OS?
    Adobe updates ColdFusion, JRun, Flex
    Serious Adobe Flash flaw being exploited

    Security Patch Management
    What patch management metrics does Project Quant use?
    Squad: Tokenization, Phishing and the Feds
    Should management processes change based on a patch release schedule?
    Should Windows Mobile updates come from Microsoft?
    Adobe updates ColdFusion, JRun, Flex
    Trusteer CEO criticizes Adobe, touts better patch deployments
    Patch management study shows IT taking significant risks
    Vulnerability mitigation study shows need for faster patching
    Microsoft to issue security report card, new tool at Black Hat
    How to manage patches for Adobe

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    bot worm  (SearchSecurity.com)
    directory traversal  (SearchSecurity.com)
    government Trojan  (SearchSecurity.com)
    Kraken  (SearchSecurity.com)
    man in the browser  (SearchSecurity.com)
    polymorphic malware  (SearchSecurity.com)
    RAT (remote access Trojan)  (SearchSecurity.com)
    RavMonE virus  (SearchSecurity.com)
    RFID virus  (SearchSecurity.com)
    Rock Phish  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    • More Tips to Secure Your Network
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts