Attack Uses Excel Attachments

By Ryan Naraine  |  Posted 2006-06-26 Print this article Print

Microsoft warns users about an unpatched flaw.

Microsofts security response Center is recommending that businesses consider blocking Excel spreadsheet attachments at the network perimeter to help thwart targeted attacks that exploit an unpatched software vulnerability.

The Redmond, Wash., software maker published a prepatch advisory on June 19 with a list of workarounds that include blocking Excel file types at the e-mail gateway. The Excel flaw, which was being used in an attack against an unidentified business, surfaced June 15 and was confirmed by Microsoft June 16.

File extensions associated with the widely deployed Excel program are: .xls, .xlt, .xla, .xlm, .xlc, .xlw, .uxdc, .csv, .iqy, .dqy, .rqy, .oqy, .xll, .xlb, .slk, .dif, .xlk, .xld, .xlshtml, .xlthtml and .xlv.

The attack resembles a similar exploit that targeted Microsoft Word users, prompting suspicion among security researchers that the attacks may be linked.

The Excel attack includes the use of a Trojan horse program called Trojan.-Mdropper.J that arrives as an Excel spreadsheet with the file name "okN.xls."

When the Trojan is executed, it exploits the Excel flaw to drop and execute a second piece of malware called Downloader.Booli.A. It then silently closes Excel.

Downloader.Booli.A attempts to run Internet Explorer and inject its code into the browser to bypass firewalls. It then connects to a Web site hosted in Hong Kong to download another unknown file.

In the latest advisory, Microsoft confirmed that the vulnerability exists in Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Excel 2004 for Mac and Excel vX for Mac.

Excel 2000 users are at highest risk because the program does not prompt the user to open, save or cancel before opening a document. Other versions of the software present a warning before a file is opened, Microsoft said.

The company insists that a user must first open a malicious Excel file attached to an e-mail or otherwise provided to the user by an attacker to be at risk.

The flaw is described as "improper memory validation" in Excel that occurs only when the program goes into repair mode.

Microsoft also recommends that businesses using Excel 2003 prevent repair mode by modifying the ACL (Access Control List) in the Excel Resiliency registry key.

Detailed instructions can be found in the advisory (

Spreadsheets Spreading Havoc

Targeted attacks are zeroing in on an unpatched Microsoft Excel flaw. The specifics:

Scope of threat:

* Vulnerable programs include Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Excel 2004 for Mac and Microsoft Excel vX for Mac

What causes the vulnerability?

* Improper memory validation in Excel when the program goes into repair mode

How can an attacker exploit the flaw?

* Attackers can use specially rigged Excel files sent by e-mail or via malicious Web sites; in both attack scenarios, the target would have to be tricked into opening the Excel file

Suggested workarounds:

* On Excel 2003, prevent Excel repair mode by modifying the ACL to the Excel Resiliency registry key; block all Excel file types at the e-mail gateway; do not open or save Excel files that you receive from untrusted sources


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel