Symantec Spots Exploit for Excel Zero-Day Flaw

Symantec has revealed an exploit that could drop a back-door Trojan onto an infected system.

Symantec has uncovered malicious code that could exploit Microsofts newest zero-day vulnerability.

Today on Security Response Weblog, Symantec revealed the exploit, which could drop a back-door Trojan onto an infected system.

The exploit "may enable an attacker to gain remote access to your computer," wrote Amado Hidalgo in the blog post.

/zimages/4/28571.gifFor more on the exploit, check out Joe Wilcoxs blog.

The malicious code "appears to be exploiting a bug on MSO.DLL," which is an Office shared library, Hidalgo wrote. In a security bulletin issued on Feb. 2, Microsoft warned that "other Office applications are potentially vulnerable" to the zero-day flaw. Symantec has only seen code that exploits Excel.

The exploit actually uses two different Trojans. The first, Trojan.Mdropper.Y, drops the second, Backdoor.Bias. Symantec has released patches for both Trojans. A signature update for the first one was issued today.

"Fully patched versions of Office 2000, XP and 2003 appear to be vulnerable to this exploit," Hidalgo wrote.

Zero-day refers to a flaw for which there is an exploit but no available fix. The Excel flaw is Microsofts fifth zero-day flaw since December. The zero-day flaw affects Office versions 2000, XP, 2003 and 2004 for the Mac, but not 2007 or Works 2004, 2005 or 2006, according to Microsoft.

Symantecs post somewhat raises the urgency around the flaw, because its the one exploit that can drop a back-door Trojan onto an infected system. Trojans of this kind allow remote download of software onto an infected computer.

Neither Symantec nor Microsoft has revealed whether or not Windows Vista could mitigate against exploit of the zero-day flaw. In its default configuration, Windows Vista runs all users—even those running as administrators—in standard mode.

/zimages/4/28571.gifClick here to read about a tool from CA that fights zero-day attacks.

Users typically receive a UAC (User Account Control) prompt asking permission before installing software. Conceptually, UAC would act as a barrier against installation of the Trojans.

Microsoft is taking the zero-day threat more seriously than ever. Two weeks ago it brought together security experts and botnet hunters to brainstorm responses.

On Feb. 8, Microsoft is scheduled to reveal what patches it will issue during its monthly security patch cycle. During Januarys release of security updates, Microsoft pulled zero-day Word flaws at the eleventh hour. The company next releases security patches on Feb. 13, the second Tuesday of the month.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.