The zero-day vulnerability's danger could extend beyond malicious Excel files.
Yet another unpatched bug in Microsoft's widely used Office application suite is being used by hackers to hijack computers, the company's security team has warned.
Late Friday, Microsoft's Security Response Center (MSRC) confirmed that malformed Excel spreadsheets are being used to trigger an unspecified vulnerability in Office 2000, Office XP, Office 2003, and Office 2004 for Mac.
"We are aware of very limited, targeted attacks attempting to use the vulnerability reported," said Alexandra Huft, a security program manager with MSRC, on the group's blog. The company "will provide updates through the MSRC weblog or the advisory as new information develops."
In an associated security advisory, Microsoft said the zero-day vulnerability's danger could extend beyond malicious Excel files, however. "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," the advisory read. A patch is under development, Microsoft added.
"It's still too new to know whether this might actually impact other applications in Office," says Ken Dunham, director of VeriSign iDefense's rapid response team. "Part of the confusion in attacks like this is that the payload has to be examined to see if the vulnerability is the same [as an earlier one] or different, then the vulnerable component must be found. It's a somewhat lengthy process."
The Excel flaw is the fifth unpatched bug in Microsoft Office that's been confirmed since early December 2006. The four others -- three in December, one in January 2007 -- lurked in various versions of Microsoft Word. The run is similar to a multi-month run of Office vulnerabilities in mid-2006.
"Once hackers have [hold of] a file format with vulnerabilities, they focus on it," says Dunham in explaining why it's often the case that one bug leads to a second, a second to a third, and so on. "The same thing happened last year when they found a bug in the WMF [Windows Metafile] format. They started wondering what other image file formats had vulnerabilities."
Hackers, in fact, will systematically test a file format with "fuzzers," software tools that stress test applications with random input to look for crash conditions. VeriSign's iDefense researchers have spotted online test results of the Chinese hacking crews which launched targeted attacks in 2006 using malicious Office documents, Dunham said.
"When they find one hacker Easter egg [vulnerability], they naturally try to find more," says Dunham.
Users can protect themselves by not opening Office documents attached to e-mail messages or offered as downloads by Web sites, said Microsoft. Office 2007, the newest version of the Windows productivity suite, also is immune to the exploit.
The next regularly scheduled security updates from Microsoft will be issued Tuesday, Feb. 13. Microsoft hasn't said whether some, or all, of the unfixed Office flaws will be patched then.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.