New Zero-Day Threat Excels

Microsoft has issued another security alert, this one for Excel, that has gone largely unnoticed.

Microsoft zero-day vulnerabilities are increasingly so commonplace, the risk is lost with the message. On Feb. 2, Microsoft issued another security alert, this one for Excel, that largely went unnoticed.

In its security bulletin, Microsoft warned that "other Office applications are potentially vulnerable" to the zero-day flaw.

Zero-day refers to a flaw for which there is an exploit but no available fix. The Excel vulnerability is Microsofts fifth zero-day exploit since December, and part of an increasingly troubling trend.

The zero-day flaw affects Office versions 2000, XP, 2003 and 2004 for the Mac, but not 2007 or Works 2004, 2005 or 2006.

An attacker could exploit the flaw either by enticing a user to click on a file hosted on a Web site or an attachment sent via e-mail. Either exploit would require some end-user interaction.

The vulnerability poses the greatest risk to users running with Administrator privileges. Successful exploit of the attack would grant the attacker the same user rights as the user. Office running on Windows Vista could be more hardened to the attack, as all users—even those running as Administrators—operate in standard mode.

Until a patch is released, Microsoft recommends that users avoid opening attachments from "untrusted sources or that you receive unexpectedly from trusted sources."

Security software developers are taking the ongoing zero-day flaw problem seriously. On Feb. 6, at the RSA Conference in San Francisco, CA will announce a host-based intrusion prevention system tool for combating zero-day vulnerabilities.

Trend Micro also is bolstering features, particularly those that detect virus-like behavior.

"A lot of the zero-days are variants on existing code," said David Finger, Trend Micros global product marketing manager. "Were able to use a lot of indicators to detect [malicious behavior]."

Zero-day flaws present unique problems for security software, in part because of the way security signatures are developed and dispatched. Time is another factor. The days are gone when security software developers could respond with patches in a few days.

"Now, its minutes," Finger said.

One response tactic is to harden software against blended attacks, which the new Excel zero-day exploit is good example. Some of that hardening occurs within the operating system, like Microsofts User Account Control feature in Windows Vista, Finger added.

/zimages/5/28571.gifMicrosoft Word zero-day attack discovered. Click here to read more.

For Trend Micro and some of its competitors, security software uses heuristics and other techniques to assess virus-like behavior.

Microsoft is taking the zero-day threat more seriously than ever. Two weeks ago it brought together security experts and botnet hunters to brainstorm responses.

Still, Microsofts responsiveness to some zero-day exploits falls short of the urgency. During Januarys release of security updates, Microsoft pulled zero-day Word flaws at the eleventh hour. The company next releases security patches on Feb. 23.

Microsofts untimely response relates to compatibility testing. If a patch breaks enterprise applications, the cure could cause more problems than the zero-day threat.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.