Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Posts Excel Zero-Day Flaw Workarounds



 By: Ryan Naraine
2006-06-19
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Redmond's security response center is recommending that businesses block Excel spreadsheet attachments at the e-mail gateway to avoid targeted zero-day attacks.

Microsofts security response center is recommending that businesses consider blocking Excel spreadsheet attachments at the network perimeter to help thwart targeted attacks that exploit an unpatched software vulnerability.

The Redmond, Wash., software giant published a pre-patch advisory on June 19 with a list of workarounds that include blocking Excel file-types at the e-mail gateway.

File extensions associated with the widely deployed Microsoft Excel program are: xls, xlt, xla, xlm, xlc, xlw, uxdc, csv, iqy, dqy, rqy, oqy, xll, xlb, slk, dif, xlk, xld, xlshtml, xlthtml and xlv.

The companys guidance comes just a few days after public confirmation that a new, undocumented Excel flaw was being used in an attack against an unidentified business target.

The attack resembles a similar exploit that targeted Microsoft Word users, prompting suspicion among security researchers that the attacks may be linked.

Resource Library:

The Excel attack includes the use of Trojan horse program called Trojan.Mdropper.J that arrives as an Excel spreadsheet with the file name "okN.xls."

When the Trojan is executed, it exploits the Excel flaw to drop and execute a second piece of malware called Downloader.Booli.A. It then silently closes Microsoft Excel.

Downloader.Booli.A attempts to run Internet Explorer and inject its code into the browser to bypass firewalls. It then connects to a remote Web site hosted in Hong Kong to download another unknown file.

In the latest advisory, Microsoft confirmed that the vulnerability exists in Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac.

Excel 2000 users are at highest risk because the program does not prompt the user to Open, Save, or Cancel before opening a document. Other versions of the software present a warning before a file is opened, Microsoft said.

The company insists that a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker to be at risk.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The flaw is described as "improper memory validation" in Excel that occurs only when the program goes into repair mode.

Microsoft also recommends that businesses using Excel 2003 prevent Excel Repair mode by modifying the ACL (Access Control List) in the Excel Resiliency registry key.

Detailed instructions can be found in the advisory.

Microsoft said businesses should also consider blocking the ability to open Excel documents from Outlook as attachments, Web sites and the file system directly.

This can be done by removing the registry keys that associate the Excel documents with the Excel application.

As best practice, the company said Excel users should remember to be very careful opening unsolicited attachments from both known and unknown sources.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Microsoft Posts Excel Zero-Day Flaw Workarounds
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v89hN;/ۑrd[5,ēR$$M{%?ٗg*BKݳqwl BUP(~ 'I"gnZΘt\snS;úO X%w>[ &(ɑԫ1m3HnwݶN=gP'^@᳙(,Q H5K&OxgMlM1ečz5m0 fE1;&I {s!%2;K;'?+B]2HXߦuɷ~{Xe;7 >)*XI,B(?F#ƈus_?;x'C?wdRr[dQ=˲nMw3a[uޡlZ*մ*rM)o[©̝ wڨ>~)eU靷O/r$QPw;@ږu`(:n{'ϭwqq gis,W;YHM~goDR˅4D> Pc,{BrM7JQ߹pKX+hvdꁑf1<˧0CF_8RCf9l򓹥uo]^\{-o^['>ߙecfy 3?b Jw3B~ VW'WOWUt/qsCV=BCj`BӹciumUo~vO^MnXCyC0-ߕRMRs~:\$.>HN‘,?N3`HBm۲:ϑ\R yKa(7f`X@7? eR2&r* 1@/W4j5-Mn #dLi&έzh-Aho*KLru&@Sk~$M ]5ņ])!exFS{ۤ%/^(P%!P샖_. jFՇTwIQQ#7{̌_"ʥcc^IcGsQ 4l.k\BtWʲ9QY +K\M흚ޢG=-*<7NZ1]t{]iz-xXnvZM( 8ù:on:jr-6RA^Tjrkh2ud8԰:AG:ڴ[\V4!>F&h`㻣Vh>[W <{ C 0ԟsZ LP#AтMz>kI-ߟL s#08w ɍ5 <Q]ѡ4}aqjSg !Tgxs=w= } o  ߝ5#z[-[Z6x G͹A Q|'sZ( w^`cy"= EEKy3@ $h5az. ŊI^KHX-Vpp(6ݞH:s@-JEs㙰TL٣XB YX/_23CCɴaX9{DMfT`B[ụDKak`F\rA+ŲMCAӀIQTZUj5YQsMqsr`!mg׹g o3p#Eq"O(12,Xh4l:Z7EQsĽ%ShƏ00UEBfO-$V(fsᠺN4S}52{Bk`ass2|dܣ%}?p*JNCjVzv}fMAV?Ty |9p‡9E#rUϚX 5<.&B#5wCʚLr畔UIY(iJSլ LoyC).EwJl㜜;F]s;tOִ=/OJb-yhֽ UעmH_ƠT. B[+ž M 2%W}kaԕ %/DA n:\X1,# l,G4~hN/a2*)WKPb8`OEMĽ~K*+j)Kۊ7V-iV9дZZ,<>kp6X"@@7wL)mT.mT^̇'Χޑ;i6E7[{\MǮtNMH &Xt+@ZogWKHZSYCٰ\R >I16D ȸau-`byfS]Wѹq}O8l1D:3`mpb Z GZ."~~~029 ?wszm>S?؊ ܕVR5sSwhlrMcJrEux.(J9)` N 2&|h :|#H& ,w\d`АgBrAa X+S//' 7(ڀ"P/?ˇ%btXQ =j={e|h322 yㅤZ JLarheU-UjR9_VqTG"MϨpL:k}\WJZP {>`,mC[$ zDÈ i[qņZ 1 54};`է[ k欭h+,s Jb+ʹV(EcXEhjC<gf'ܪ+_L}ˀGeyM?ܛZIc="JL7O<s[B< r_ǞuC vq?n216<^uUJ`|,4̩$FlؤκV}|,On?Z ƚAFp5xl==CݸX vLzWO!SB9^%13sK]7a ZQkQHU(V $ zU;{\bke`WPF4`W&{ڜx&\_{sƋ(b)Q^rSW"&wD<7Ϩ;}Nb4PG }f qg5iv<n've=D knIG:a;F*ݔkY`'\U%P-HjIt>80xX N zWQ{qT2NwZU}{?"}QL pف#;? t%.}燫qt4}=K'N>1a}^frj8G)jiv%<4UjOJV%?\v?KNC[ q޲oU-h3 J@c$w}|I˙ۋqta Na啀  _9ݎi^~h/igK~J[R^{!z0W&n48T6MFzV5C2ܝa3 vH[!Br_ǭK,SVXKr! Vj,49Aϐa6(n4'lC/A֭ Bf/3bB!|JTAv,3x\=[<,Mw[v1C'ͳ~4ϿOA ̯> H-Ѝ>u?y{`o&o=)sǣA3g伅)ћN}ۨ+a4 }Fp?vOJowؽs¾"80Nt,4P$yUZ/WU $d% >Yx2M#}%3 =ki^x̠t4w {}!.u0.sT7?_eҰKw= =z .+-R!EkEwWUK OgʢE:'%mK`#iv.R_;+!bi4V;Tf{ts̷kD:>dO>^jD}|92> AYC؞qnbLdOB%6÷Cw#S''Sc3HF#%cOSϱ6mF @|Ր۰h]Z1q`j}Z/p$|#؈'GG?Z7{cE|3̔ u\ KMΟU_r w^?P??\=3q x zГqi+B6t8y@9ST<3@Sm< gjj%>( 2]VLי^(bؑXL{6?\eۄUO> 'xcR/p=W-uVIԽő>cEq 1ۊxő7(;uM+TS{07o9' 7}f+wi?*ES!l#rޓ>ԗZwidfP3:l<{$[Hm"8)qДLqx.Q#xU!7~e o2\{k9>9okЂ4_҉JWwIp]<8CD'h$K"I@\$KȳR$$]ol6³k0%,oHP&<sghT!,AX.B`TuGb6zcwZ+ ֕9>,)Vs#bJ V6z@7܊Qn(ggK f.zAGYcL28` A@.Nټa7gcӚ۲JARMY\"V b)*iH4Х/]Rb#IH*B~#}#:GuFeIߊjLZݔ*Ϯzz=&uz!}A c` `#΂Zn1ڋV$.tHd+[=.{dhLŒߗq &7sřM_\3d_*'AI +-v{66?:B֕ ,KJ-X&,CxapH=QɃnJ38CpD$1p# p+aRX4VzqOF䉮'= 9RRDqm4I ZknɑjbʅhJK>W^kWO%c!nejK*taq}wW+RDgt,8HC8 B JDcw6ʳ]@$!=͗ީtOWDV:x]ڸۑqOW]!1ߝߝߝߝ Y(V m5{RߝImRX$]Z5 @[nahM\4$? `\BX?!oqߣnoƦ5or^Z%vf%7agܩ0))lgGjzc4EZBp+ʺ,K&/xzw6z^H٨<=mlX[Rc~|"_4cTw.+͑^S, xxYN6@c7DiANso{QD[XlB7@<g3w*;utîXfZK φ=MOq;m5p2 _ AWoͣi^W\knzT{ZSh~wL lff6S7{M_ro&`ljVXVgVEQzf0m-mYޣS.{UnZZJ n%8n|6S^M`0W/%4C2CbMʩ$t86Y S&e< m~id$=tJb9_"O~{sפ{ |:لO 87eQn|}xiς^9Uj,`,2V`Ӷ뿓$yjc6%1Y~GjOP5Ig.&>;vExo~6:|q׷ x3'"ui=TgZPsX%f,,iH!c-1_ f? `* n'y{@d'p.dˋ+AE!Lj}AKfRכRÜa}N"F dr۬B.]cbwbHu"^]Z˽X:bK2&ϯ #zۉЙ>3&ޢME*ނ0HQ&ܢۨ@JVH4isOkp)x9}nZӚbfă ZOka`;Xikj=!vSC` /J.қbv(g9>([oW-F]M5ΩX:]LcXG! 8Wxo/%5&¯I{e >9b٪ӹJc:u_`ci*qwM[*{9YJ-h>#4NFcȞuTEo0 +iZ`3+nޖTm}qVҽ]FRh3'; KG"ͨa8TJo J}JzV=oi۞Ox #ZNHh5J<>O|B< Er"c Ą)bUfwܠ~z*ڟOe^fs B ;=Hl~'dM,|U:l|%w[RGlЦANKt Mx67W0OL}x+{VzK"?{|Od>hTHґ!WwmA=~zDLRO\ND CVY aIm{7R[ $y?ZED"% qŢׁ3r޺ꝵe=<prQ_[{Xu..n}5,N߃9$.+Ja Sݝ!+:e1qU[XZ؟ްn?EpA1HSvkڨ>^RDHy> `8.pgj9xUtKdL*2&Bs879|_/{=&:N% =a k(E$7׳Ŏ1-(ĴF#1CLD:5,ǰlFLN߅g-m:x~*# &(?-p E b{GLƙ;fQ7_$1'EQ\VP*@H>Q|?pk%Tmn$|s (71Ȕ,,2E<Cez{X<> 2鐚AdjU,ywF7`C'[EY|ob{LgA~&\b@Ԑ0(b$Ѕ:y,@#!9ωkYkCa]?X/t`p3W VjE)OBӁRs] U+|kx2,4e &JZ! `xzNrdhz߃ISk;srҽ$MrrjާeY OQa[+p \MnaQIuq>'31F;6M&JrfdeANΛSrsm.4 "G}ɂwᝥ%}VX\mssE~D(/pY QJ/Ni01?c<>lzZ6ZA/N|veI՚#:|jS#}uLpXmn¸~(hOu{Qt[FhR3`dzP1+(GMfFyʻ@VF/?d!vq^_>5_;?ϴ3v{^F( eٮdv2t2Ӂw2dg(? 3O4oPw2a|3ubxvY^]Y;X;Yo)P/YC"Icgev'σfewbiq叏ޢD)+Fyk@[xWe\7㌠6ѧv {xuCZͳEC=tz}iP,Us !QaWEjo2x sһŁC @=WCtz =s;u`- l>EM++J9wW(}{(&0#&T_$`vXJ D`q9#Tx|Deiګ.91C=b[hǬ[ɖ^c(L"׏ ѱ@;f]WeL+,d 'æȗp^Wv,P@0~Y8P*`!I؞.F^̇$u0X?b{I2hؐM ؒ9N-#N>@O'ÙCwHX&58W! 76@c d߻A!0+<:,(-ȷ:g^=F:zJ7dp!gB-ҋKt>p_eD˺UB` jϗ9kn%c$Q6#"9ipz8Ï }Cqzvtsʱ Eiै+Qݎ;S œj@@rĶ ?|c Ҥ$z b2O|e'0O2#z]Wva^nO,9`&<›Ä-IZcm%^#%&aBcM=19ρ{xrh`=F(Qu>}T.q 5sEEבE,&J  B8ɄdX.N`'2ݻЄ2t\~++DN焽HaCm5ueԦEm_sÃ2W 6LG4 (Q"#q}(!3(K)P%)^Ղ]#rF31F#qyU p6+_ׁ.L$+#R.ܐOF{/)0XPy4<p2I>0 `)`"sC@_DcSF)f'VFp)hN<}y?ڢ uKğ?X \cwHV&Lt>[Oulם8C# d9b7S1$+nvGD '7>6'كl2p~!(_Eْ+0u6ܨNAEVb0yMvSF} ?dtE#bSp!@>pM֧2QTD Q)ۉYbd휙FqB9 3D&U@EqD'Pyml<^|:ym놮E{Ofuݎfm/xo++$~Il=du-Wr 1e~8Şi#}@ =(ۊnfة`y%K@44{$wshՆG0ޏqPRl@xS a {m;pSz2  ѨpSTVD'S^-3qݼSQa[_.<'̳(`,Lv"VKjMΡmdqR!EfƲ 7cP.X]-'B@:S .x CG,$?ˋ}P 399.@OI"cXM1}aE|qSS}v4<~vkm a% ѨT\_N+g, mݸ楇ͣ.ΏtOђuǭ4!ջh?$+e=;`7 r9̳G`bhPfYWVIGb$- U.ä.yaL셳QbmئdUi29J{) qŭ˕4>!ane߄;l| n%96L]_[ P )