Security Vendors Spot Second Excel Bug - InformationWeek
02:39 PM

Security Vendors Spot Second Excel Bug

After security vendors reported a second zero-day bug in the popular business application, Microsoft is recommending several different defensive strategies.

Just days after Microsoft confirmed that its Excel spreadsheet had an unpatched vulnerability currently being exploited by attackers, security vendors on Tuesday reported a second zero-day bug in the popular business application.

Last Thursday Microsoft acknowledged that a critical flaw in Excel was being used by attackers who had targeted a single company, the second such admission in a month. In May, a bug in Microsoft Word was used in similar fashion by hackers who targeted a small number of victims. A week ago, Microsoft patched the Word flaw.

Monday, the Redmond, Wash. developer issued a security advisory that promised a patch for the first Excel vulnerability and spelled out several steps enterprises and individuals could take to protect their systems until a fix was released.

In the advisory, Microsoft noted that Excel 2000, 2002, and 2003 for Windows (as well as the for-free Excel Viewer 2003 utility), and Excel v. X and 2004 for the Mac were at risk. The company also recommended several different defensive strategies, ranging from blocking all Excel-related file types at the gateway to deleting 40 keys from the Windows Registry to block Excel documents from opening directly within the application.

Tuesday, however, security companies reported that proof-of-concept exploit code had gone public for yet another Excel bug, this time one in a DLL that handles hyperlinks in Excel worksheets.

"The vulnerability occurs when a user follows a long URL link contained in an Excel spreadsheet," wrote Symantec in a Tuesday alert to customers of its DeepSight Threat Management System. "Since the proof of concept does not include a payload, it will cause Excel to crash.

"This issue is not believed to be associated with the other recently discovered flaw in Excel, since the two vulnerabilities appear to be quite different," Symantec added.

The rapid appearance of multiple vulnerabilities in Microsoft Office applications -- and just as importantly, their use in attacks focused on a small number of companies -- isn't a surprise to security analysts, who have been remarking on the trend toward such "targeted" attacks for months.

"We are starting to see more targeted attacks," said Vincent Weafer, the senior director of Symantec's security response team. "And the exploitation of Office [applications] is also increasing."

Hackers engaged in targeted attacks -- which are motivated by profit and sometimes involves the sale of commercial secrets culled from the attack -- usually want to stay out of the public eye, but are willing to take the risk that Microsoft (and others) will sound the alarm over a Word or Excel flaw being exploited.

"If they can use the same exploit in two or more instances, all the better," said Weafer. "But they also want to get to something they know is in the victim's environment." Such as Office, which has the lion's share of the business application market.

Others see the increase in Office vulnerabilities and follow-on exploits as additional confirmation for another trend: that client-side exploits are not only the attack category de Jour, but the future of malware.

"Several years ago, nobody cared too much about exploitable bugs in client-side applications because remote bugs were still readily available," said Kyle Haugsness, an analyst with SANS Institute's Internet Storm Center, in an online research note. "I am honestly expecting to see a healthy stream of client vulnerabilities in Office applications over the next 2-3 years."

Symantec's Weafer conceded that the Word and Excel bugs were serious, but dismissed any danger to Office users as a group. "I don't think you need to be concerned about a targeted attack tomorrow. They're increasing, yes, but they're just a drop in the ocean compared to the number of malicious programs launched every day.

"Most [users] will never see an attack on Word or Excel."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll