Microsoft Confirms Excel Zero-Day Attack Under Way

The software maker activates its security response process after learning that a Windows customer is the target of an attack against a new, undocumented Excel spreadsheet vulnerability.

Microsoft June 15 confirmed that a new, undocumented flaw in its widely used Excel spreadsheet program was being used in an attack against an unnamed target.

The companys warning comes less than a month after a code-execution hole in Microsoft Word was exploited in what is described as a "super, super targeted attack" against business interests overseas.

The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers.

In an entry posted to the MSRC (Microsoft Security Response Center) blog, Microsoft Operations Manager Mike Reavey said the company is investigating "a single report from a customer being impacted" by the latest attack.

"Heres what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," Reavey said.

"Remember remember to be very careful opening unsolicited attachments from both known and unknown sources," he added.

Microsoft has activated its security response process, which means a formal security advisory will be issued within 24 hours to suggest mitigation guidance and possible pre-patch workarounds.

"Weve got the Office team engaged of course, and they are hard at work investigating the vulnerability," Reavey said.

According to security alerts aggregator Secunia, the Excel flaw has been confirmed on a fully updated Windows XP SP (Service Pack) 2 system with Microsoft Excel 2003 SP2.

Anti-virus vendor Symantec said Windows 95, Windows 98, Windows Me, Windows NT and Windows 2000 computers are also at risk.

Symantec was the first to raise a red flag about the attack, which includes the use of a Trojan horse program called Trojan.Mdropper.J.

The Trojan arrives as a Microsoft Excel file attachment to a spoofed e-mail with the following name: "okN.xls."

When the Trojan is executed, it exploits the Excel flaw to drop and execute a second piece of malware called Downloader.Booli.A. It then silently closes Microsoft Excel, much like that way the Microsoft Word attack worked.

Downloader.Booli.A attempts to run Internet Explorer and inject its code into the browser to bypass firewalls. It then connects to a remote Web site hosted in Hong Kong to download another unknown file.

Symantec, McAfee and others have added signature detections to remove malicious software that attempts to exploit the vulnerability. Microsofts Windows Live Safety Center has also been updated, but security experts say the attack can easily be modified to bypass signatures.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.