After security vendors reported a second zero-day bug in the popular business application, Microsoft is recommending several different defensive strategies.
Just days after Microsoft confirmed that its Excel spreadsheet had an unpatched vulnerability currently being exploited by attackers, security vendors on Tuesday reported a second zero-day bug in the popular business application.
Monday, the Redmond, Wash. developer issued a security advisory that promised a patch for the first Excel vulnerability and spelled out several steps enterprises and individuals could take to protect their systems until a fix was released.
In the advisory, Microsoft noted that Excel 2000, 2002, and 2003 for Windows (as well as the for-free Excel Viewer 2003 utility), and Excel v. X and 2004 for the Mac were at risk. The company also recommended several different defensive strategies, ranging from blocking all Excel-related file types at the gateway to deleting 40 keys from the Windows Registry to block Excel documents from opening directly within the application.
Tuesday, however, security companies reported that proof-of-concept exploit code had gone public for yet another Excel bug, this time one in a DLL that handles hyperlinks in Excel worksheets.
"The vulnerability occurs when a user follows a long URL link contained in an Excel spreadsheet," wrote Symantec in a Tuesday alert to customers of its DeepSight Threat Management System. "Since the proof of concept does not include a payload, it will cause Excel to crash.
"This issue is not believed to be associated with the other recently discovered flaw in Excel, since the two vulnerabilities appear to be quite different," Symantec added.
The rapid appearance of multiple vulnerabilities in Microsoft Office applications -- and just as importantly, their use in attacks focused on a small number of companies -- isn't a surprise to security analysts, who have been remarking on the trend toward such "targeted" attacks for months.
"We are starting to see more targeted attacks," said Vincent Weafer, the senior director of Symantec's security response team. "And the exploitation of Office [applications] is also increasing."
Hackers engaged in targeted attacks -- which are motivated by profit and sometimes involves the sale of commercial secrets culled from the attack -- usually want to stay out of the public eye, but are willing to take the risk that Microsoft (and others) will sound the alarm over a Word or Excel flaw being exploited.
"If they can use the same exploit in two or more instances, all the better," said Weafer. "But they also want to get to something they know is in the victim's environment." Such as Office, which has the lion's share of the business application market.
Others see the increase in Office vulnerabilities and follow-on exploits as additional confirmation for another trend: that client-side exploits are not only the attack category de Jour, but the future of malware.
"Several years ago, nobody cared too much about exploitable bugs in client-side applications because remote bugs were still readily available," said Kyle Haugsness, an analyst with SANS Institute's Internet Storm Center, in an online research note. "I am honestly expecting to see a healthy stream of client vulnerabilities in Office applications over the next 2-3 years."
Symantec's Weafer conceded that the Word and Excel bugs were serious, but dismissed any danger to Office users as a group. "I don't think you need to be concerned about a targeted attack tomorrow. They're increasing, yes, but they're just a drop in the ocean compared to the number of malicious programs launched every day.
"Most [users] will never see an attack on Word or Excel."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.