Security Watch

Keeping Track of patches and hacks in the IT security world.

How to Minimize Risk from Zero-Day Attacks

How to Avoid Excel Zero-Day Attacks

As I wrote in this piece over at, rigged Microsoft Excel files are being used to exploit a zero-day (previously unknown/unpatched) vulnerability and plant keystroke loggers on select (.gov?) networks.

As Rob Lemos points out, bugs in Microsoft Office applications emerged over the last year as standard weapons for criminals conducting corporate espionage and computer attacks against military targets. Last summer, Microsoft's Office team struggled to keep pace with flaw discoveries and, after a brief lull, it looks like we'll see much of the same this year.

If you have valuable information on machines with Microsoft Office installed, you might want to consider these important mitigation strategies to avoid finding a rootkit in a sensitive part of your network a few months from now.


* Run up-to-date anti-virus software. It may not catch everything and, in many cases, it may be slow to respond to an emerging threat, but you really should have anti-virus as one of several layers of defense.

* Keep all Windows machines fully patched in a timely manner. A clever patch-management strategy for systems with sensitive or confidential information can save you from zero days that piggyback on older, already-fixed vulnerabilities.

* Do not accept or execute files from untrusted or unknown sources. In sensitive environments, do not open attachments (including .doc, .xls or .ppt), even from people you know and trust, because it's easy for an attacker to spoof an e-mail to make it look like it came from a colleague. This also applies to files -- and strange URLs -- that arrive from contacts on your IM list. Distrust everything.

* Do not click on links from unknown or untrusted sources. Again, distrust every link that comes with a catchy, enticing promise of a sexy video or hot news story. As a best practice, network administrators should filter HTML from e-mails and block executables at the gateway to keep attacks at bay.


* Take a page from Microsoft's playbook and implement multiple redundant layers of security. The biggest threats come from code execution attacks, so it's important to use memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. I agree with the folks at Symantec DeepSight that this tactic may complicate exploits of memory-corruption vulnerabilities.

* Run all software as a nonprivileged user with minimal access rights. Almost all malware attacks target computers that run with full admin rights. On corporate systems with sensitive documents (the big target for zero-day attacks), no-admin should be implemented as a priority.


This bit of advice from Microsoft is specific to attacks against Office (MS Word, MS Excel, MS PowerPoint) but it's worthwhile for any business that could be a target of corporate espionage attacks:

* Download and use MOICE. The Microsoft Office Isolated Conversion Environment feature is a free addition to the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. It's a perfect solution for businesses that must open -- and trust -- Office files from external sources. MOICE can be used in tandem with Group Policy settings to convert documents in legacy (.doc) formats to OpenXML formats, stripping out potentially harmful elements that could pose a security risk. The conversion process takes place in a safe, quarantined sandbox environment, so the user's computer is fully protected.

* Use the Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations. Microsoft has offered a registry scripts to help set the File Block policy (see workarounds section of advisory).