Microsoft warns of Excel 0-day attack
Results 1 to 4 of 4

Thread: Microsoft warns of Excel 0-day attack

  1. #1
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912

    Microsoft warns of Excel 0-day attack

    Microsoft warned on Friday that the software giant has received a single report of a company targeted by an attack using a previously unknown flaw in Excel.

    The warning comes the same week that Microsoft fixed a flaw in Word that had been used in targeted attacks that, at least on the face, appear similar. The software giant said its Office team is currently investigating the flaw and reiterated that customers should be cautious of attachments.

    "In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," Mike Reavey, operations manager for the Microsoft Security Response Center, said in a post to the MSRC blog, noting that Windows will warn user to be careful of opening attachments from e-mail. "So remember to be very careful opening unsolicited attachments from both known and unknown sources."

    A year ago, the national computer emergency response teams in the United Kingdom, Canada and Australia all warned of targeted attacks hitting organizations in those countries. While the U.S. organization, US-CERT, did not issue an alert, antivirus companies acknowledged that low-volume e-mail attacks had targeted U.S. companies and government agencies. The attacks using Word and Excel flaws appear to continue the trends toward more focused attacks, while making the attacks much harder to detect because the exploited flaw had been previously unknown.

    Microsoft urged customers that believe they have been compromised by an attack using the Excel flaw to go to the company's Windows Live Safety Center to detect and remove the threat.

    Source
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  2. #2
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    posted 4 days back :

    http://www.antionline.com/showthread...&postid=905029

    But thanks for conforming it.

    Here is some more information on the same :

    http://isc.sans.org/diary.php?storyid=1431&rss

    Today there is news of another 0day vulnerability in Microsoft Office. You can check your favorite vulnerability notification service for all the gory details. Someone wrote asking for comments and honestly I don't have any step-by-step instructions for defending against this specific threat. All of the general high-level recommendations from the MS Word 0day a couple of weeks ago still apply. Perhaps we will have something more detailed later when the details are more clear.

    Instead, here are some thoughts about the current state of vulnerability discoveries. If you have followed along with the industry in the last couple of years, you have probably noticed that remote root/administrator type of bugs have slowly disappeared and now seem to be fairly rare. Most vulnerability researchers that are publishing advisories now seem to focus on web applications and clients (web browsers, Office, etc). I am honestly expecting to see a healthy stream of client vulnerabilities in Office applications over the next 2-3 years. Several years ago, nobody cared too much about exploitable bugs in client side applications because remote bugs were still readily available. Of course, given the recent media attention about the MS Word 0day exploit, alot of vulnerability researchers are now hitting Word with every available fuzzer that they have.

    So now we have a scenario where there will be a good number of 0day vulnerabilities discovered in client-side applications like MS Office and OpenOffice. Users will be advised not to open documents from unknown persons. So have we evolved? Or have we just jumped back in time ten years when every aspiring script kiddie was writing VBA Macro viruses?



    A vulnerability has been discovered in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.

    The vulnerability is caused due to a memory corruption error in the "repair mode" functionality used for repairing corrupted documents. This can be exploited via a specially crafted Excel documents.

    Successful exploitation allows execution of arbitrary code.

    The vulnerability has been confirmed on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected.

    This vulnerability is a so-called 0-day and is already being actively exploited.




    http://secunia.com/advisories/20686/
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    I also found this, although it has RECOMMENDATIONS FOR WORD FILE they are good for excel also. Again I found this on SANS


    * User education is of course key, but likely insufficient. Attacks like that will use very plausible messages. Create some examples to re-emphasize this fact. "What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document". Teach users to double check out of band. "Do not open the document before calling the customer".
    * Do not trust Antivirus alone. Defending against 0-day is all about defense in depth. Antivirus is likely going to fail you for an exploit like that. Consider a system that quarantines attachments for at least 6-12 hours to allow anti virus signatures to catch up. This may not be acceptable for a lot of organizations, but in particular right now, with a known exploit, it may be a reasonable step.
    * Limit users' privileges. The particular sample we received will not run as a non-administrator user. It will be MUCH easier to clean up after an exploit like that if the user had no administrator rights.
    * Monitor outbound traffic. Your IDS and your firewall are as valuable to protect your network from malicious traffic entering as they are in protecting you against your corporate secrets leaving your network. Consider deploying "honey tokens", files with interesting names that contain a particular signature your IDS will detect.
    * Block outbound traffic. Try to limit sites accessible to users and use techniques like proxy servers to isolate your clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.
    * Limit data on desktops. Try to teach users to limit data they store "in reach". This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot as in this case. Locally encrypted files will work too (as long as they stay encrypted until used). Encrypted file systems will not help as they will be accessible to the user opening the word document.

    Again. None of these techniques are perfect. Each one can be circumvented. But the more layers you can wrap your users in the better. Think what will work well in your organization. Personal firewalls on desktop? Traffic control with flowtools or ntop? What are the tools you already have that can be used for this purpose.
    Another option might be to use the Microsoft Office viewer applications instead as your default, such as Word Viewer. You can get more information about and download the viewer programs from Microsoft. The Word Viewer application is not vulnerable to this specific exploit.
    LINK : http://www.microsoft.com/office/000/viewers.asp
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #4
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    Thanks ByTeWrangler, unfortunately, the search engine couldn't find any match,,,, thanks for the links .....

    Cheers
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •