Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Software

Zero-Day Excel Exploit In the Wild 117

snydeq writes "Microsoft Excel has a zero-day vulnerability that attackers are exploiting on the Internet, according to security vendor Symantec. The problem affects Excel 2007 both without and with Service Pack 1, according to an advisory on SecurityFocus, and other versions going back to Excel 2000. The program's vulnerability can be exploited if a user opens a maliciously crafted Excel file, allowing a hacker to leave a Trojan horse on the infected system."
This discussion has been archived. No new comments can be posted.

Zero-Day Excel Exploit In the Wild

Comments Filter:
  • An Exploit (Score:2, Funny)

    by Anonymous Coward

    An exploit? In my Microsoft product?

    SAY IT AIN'T SO!!!

    • A -1 Troll moderation for mocking Microsoft's deservedly poor reputation for security exploits?

      Oh poor Slashdot, how far have ye fallen?

  • by 0prime ( 792333 ) on Tuesday February 24, 2009 @03:20PM (#26974451)
    Well, let me just open this excel file detailing the financial agreement I will be making with Mr. Ugubu. Surely there is nothing wrong with opening attachments from untrusted sources.
    • by the_humeister ( 922869 ) on Tuesday February 24, 2009 @03:32PM (#26974597)

      What do you mean "untrusted." He just sent me an email detailing how he is the caretaker of the Nigerian's former king's fortune. It sounds official too.

      • by gEvil (beta) ( 945888 ) on Tuesday February 24, 2009 @03:42PM (#26974743)
        What do you mean "untrusted." He just sent me an email detailing how he is the caretaker of the Nigerian's former king's fortune. It sounds official too.

        No kidding. I got an email a few weeks ago from Kofi Annan that talked about how he and some "big wigs at the UN" (his words, not mine) were looking for ways to split up some money, and he was wondering if I would be interested in receiving a share. I've heard of Kofi Annan and know that he was associated with the UN at one point, so it doesn't get any more official sounding than that.
        • by Forbman ( 794277 )

          ...and I got one from a Barrister in Great Britain...

          At least they're grammar and structure is get better. [sic]

          • I got one from a Lt. Col, USArmy, who snatched $25 Million from Saddam. Now that's a trustworthy source, so I couldn't understand why he needed my help as most of it was in $100 bills. Maybe he needed me to carry the suitcases?
            • Wow! Sounds like some professional scammer just looked up the word 'plausible' up in the dictionary!

          • I got one from Colonel Gadaffi the other day, but I disregarded it because he spelt his own name wrong. ;-)
      • by j4s0n ( 1121943 )
        Weird. Every time I try to listen to my E-mails, I just hear music from Star Trek: TMP.
    • Re:Random E-mails (Score:5, Insightful)

      by Lord Ender ( 156273 ) on Tuesday February 24, 2009 @04:06PM (#26975029) Homepage

      Surely there is nothing wrong with opening attachments from untrusted sources.

      The real danger is in opening attachments from trusted sources. If this is used with an email worm, it will look like it is coming from your friends, coworkers, or any of your eight bosses. As a high priority, due yesterday, mission-critical action-item.

      • "It's worse than that Jim".

        If used with the email worm on your less savvy coworker, it will infect HIM (her, or it) ... and really BE coming from your coworker.

      • That's why(among other things) we have to use cryptography on anything we send via email, so it's authenticity and integrity can be verified.

        But IT really hates when people send large documents back and forth over email, so we also have secure online repositories that people are supposed to push/pull documents to/from for x-group collaboration.

    • by jbn-o ( 555068 ) <mail@digitalcitizen.info> on Tuesday February 24, 2009 @08:27PM (#26977589) Homepage

      Some people have jobs which require opening email attachments from unknown people. Secretaries are often the first point of contact for files sent by the general public. The secretary is often charged with opening the attached file(s) to make sure they're conformant in some organizational sense, then placing a copy of the file somewhere appropriate (such as a file server where other people can further vet the files).

      I can easily see a situation where people are asked to upload files via a website to be opened by a committee later. Then everyone on the committee could be running on their machine with an administrative account (common for people who just bought a computer, sometimes having an admin account is viewed as a position of power and privilege).

      I'm not saying that any of these problems can't be solved. I'm saying that to frame the issue as strange malcontents trying to take advantage of someone isn't addressing the complexity of the issue at hand.

      It seems that this is just another area where overly-capable file formats, proprietary software, and programs that attempt to do too much are all coming together in an unpleasant way...again.

    • Well people you trust can be infected too and not know it and send you a picture of themselves on holiday, and you just viewed a .jpg that contained a hidden virus....it has happened. The whole email attachment bit is what I don't get, why send me attachments at all....unless I ask for them , then I get them....if you tell me the joke I wont need to download a 3mb powerpoint of it!!!

    • isn't there malware out there that can make it look like you are receiving an email from someone you know?

      If so, this is not just a matter of being smart enough to not open attachments from strangers.

  • Comment removed based on user account deletion
  • zero day? (Score:1, Insightful)

    by Anonymous Coward

    Does it really count as zero-day if it's been a bug for 9 years?

  • by Anonymous Coward

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]
    "BinaryFiles"=dword:00000001

    APK

    • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday February 24, 2009 @03:33PM (#26974607) Journal
      That is only a workaround if you hate the guts of everybody who works the help desk...
      • by Anonymous Coward on Tuesday February 24, 2009 @04:06PM (#26975021)

        "That is only a workaround if you hate the guts of everybody who works the help desk." - by fuzzyfuzzyfungus (1223518) on Tuesday February 24, @03:33PM (#26974607)

        I suggest you do a bit of reading here then from the URL below...

        (Simply because, based on the data about this (straight from the horses' mouth @ MS)? There is a GOOD chance your networking folks will merge this on bootup logon scripts to protect you with it, @ this point so far @ least!)

        Microsoft Security Advisory (968272)

        Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution

        http://www.microsoft.com/technet/security/advisory/968272.mspx [microsoft.com]

        ----

        SALIENT EXCERPT/QUOTE:

        "Suggested Actions

        Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section:

        For Office 2003

        Windows Registry Editor Version 5.00

        [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

        "BinaryFiles"=dword:00000001

        Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates must be applied.

        Impact of Workaround: Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

        For 2007 Office system

        Windows Registry Editor Version 5.00

        [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

        "BinaryFiles"=dword:00000001

        Note In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

        Impact of Workaround: Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

        How to Undo the Workaround:

        For Office 2003

        Windows Registry Editor Version 5.00

        [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

        "BinaryFiles"=dword:00000000

        For 2007 Office system

        Windows Registry Editor Version 5.00

        [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

        "BinaryFiles"=dword:00000000"

        ----

        Especially since currently there is apparently NO other way to @ least protect yourself from this attack...

        APK

        P.S.=> The "adverse impacts" of this temporary work-around fix, IF any, are listed on said page also... apk

        • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday February 24, 2009 @04:21PM (#26975215) Journal
          "will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System"

          That isn't going to go over well. At all.
          • We already can't open Office 2007 documents in Office 2003 so this just equalizes things.

        • Special File Exempt directory... hmmm what about the people who have Excel files in potentially hundreds of folders spread across many network servers? Ugh.

          But thanks for the workaround anyway, really it's better than nothing for those companies that must run Excel.

          OpenOffice keeps looking better and better every time this stuff happens. I haven't launched Office except to accept meeting invitations (and once to convert some Ami pro files) in years.
    • Cripes! And people say unix is complicated!
    • Official Microsoft Workaround: Get up from your desk, step around it, and stop working.
    • Thanks for not sourcing your information.

    • The average end-user doesn't want to have to open registry editors and manually modify esoteric values in obscure text configuration files. No matter how much hobbyists and enthusiasts wish otherwise, until there's an idiot-proof GUI that makes all of this happen in a single click, Windows will never be ready for the mainstream desktop.
  • 1. Open up a new document.
    2. Press F5.
    3. Type in x97:L97 in the reference box and press enter.
    4. Press tab.
    5. Hold down ctrl+shift.
    6. While holding these two buttons click on the chart wizard button on the icon bar (the button looks like a bar graph).
    7. Play the game while it secretly crafts a worm to take the extra money when transactions are rounded (only a few hundredths of a cent) and deposits them in an offshore account.
    8. ...?
    9. PROFIT!
  • So that I can feel good about having it turned on for all apps.
  • by Penguinisto ( 415985 ) on Tuesday February 24, 2009 @03:35PM (#26974643) Journal

    While such a vector would be pretty useless on the public nets, just out of academic curiosity, I wonder: how fast would this critter would travel if it got loaded onto a SharePoint site (you know, one with the handy Excel-handling plugin turned on?)

    Looking at it from the other end, how do you protect from such an eventuality without shutting off the plugin?

    /P

    • Looking at it from the other end, how do you protect from such an eventuality without shutting off the plugin?

      Same way you protect the client -- disable .xls binary files.

      OTOH, Sharepoint's Excel Web Services is a bitch to get anything to run, even when you're trying to. If you're using SharePoint in lieu of client-side Excel, it should effectively immuninize you from this bug, same as if you used OpenOffice on the client.

  • by whoever57 ( 658626 ) on Tuesday February 24, 2009 @03:51PM (#26974839) Journal
    With yet another incompatibility between OpenOffice and Excel, I really can't use OpenOffice.
  • by kkrajewski ( 1459331 ) on Tuesday February 24, 2009 @04:15PM (#26975153) Journal
    Reading plaintext unsafe. News at eleven.
  • by wealthychef ( 584778 ) on Tuesday February 24, 2009 @05:07PM (#26975673)
    FTFA: "Hackers have increasingly sought to find vulnerabilities in applications as Microsoft has spent much effort into making its Vista OS more secure."

    Is this true? Any corroborating info from anyone?

    • I never have issues with Vista. Of course, I'm also smart & knowledgeable enough not to open suspicious files or file attachments, run Avast! Antivirus, Spybot S&D, and Spybot's add-on program Teatimer (a handy thing that allows you to approve or deny any registry changes that occur at any time, during either installations or accidental visits to malicious websites that do things like change your registry entries to modify your "home page" to direct you to their site).

      I also usually have at least 2

      • More and more the amount of work to run Windows is becoming less and less appealing.

        OSx86, OS X, and Linux are getting very tempting

        • I don't find it to be that much work. I don't have to reinstall my OS more than once a year, and my anti-virus software passively prevents most infections.

          Isn't this an issue with all operating systems? Keeping security software running, browsing the internet safely, and knowing how to recover a computer that is totally lost to a malware infection?

          I can't imagine Linux being that much more or less work (besides the installation, which is assuredly more complicated).

      • I also usually have at least 2 computers on hand, so if a virus makes the thing totally FUBAR, I can recover the files by using the non-FUBAR'ed computer to access the other's hard drive, then format the drive and reinstall windows/drivers/etc. from scratch.

        Think about what you just wrote. /golfclap

        Personally, I think friends should not let friends do Microsoft Windows. But that's just me.

        • Well, I basically described how you can recover from any virus on any computer, regardless of your OS. The computer used to repair the infected one does not have to be very expensive, either; $40 at Goodwill ought to get you such a tower if you don't have these sort of things lying around from past upgrades. It can also run on a different OS than the computer you're recovering; you could recover your Windows box with a free install of Ubuntu.

          That's a much better deal, financially, than hauling the thing to

          • ... software made by third parties out there that the sporadic vulnerabilities in Windows/Internet Explorer/etc. have never been an issue for me.
    • Just edit the article and add a [citation needed] tag; I'm sure someone will add the evidence.

      What? Oh. Nevermind.

  • by chill ( 34294 ) on Tuesday February 24, 2009 @06:20PM (#26976467) Journal

    Once, long ago, Excel had a full flight simulator hidden in the code. Then Microsoft created the Flight Simulator team and it was one of their landmark "games".

    Fast forward many years. Microsoft closed down Flight Simulator and a few days later there is a "several year old zero-day" exploit in, of all places, Excel.

    Coincidence? I THINK NOT! Paybacks are a bitch, aren't they Mr. Ballmer?

    • Once, long ago, Excel had a full flight simulator hidden in the code. Then Microsoft created the Flight Simulator team and it was one of their landmark "games".

      Taking a trip in the time machine, this would disprove the assertion that there are no games for the Mac! ;-)

  • I'm safe - I'm still on Office 97

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...