Exploits Target Multiple Excel, IE Security Holes
Security researchers have released blueprints showing would-be attackers precisely how to exploit four unpatched security flaws in Microsoft Excel and Microsoft's Internet Explorer Web browser, at least two of which could be used by attackers to hijack vulnerable PCs.
Microsoft has acknowledged the existence of a pair of unpatched security flaws in Microsoft Excel, but said it has seen no signs of anyone exploiting them yet. However, if the past is any indicator, that may well change soon now that exploit code has been publicly released.
The first vulnerability for which exploit code is available involves a problem with the way Excel handles hyperlinks. The flaw could let hackers take over a vulnerable computer a user happens to open an Excel spreadsheet containing malicious code and then clicks on a link contained in the document.
An advisory from vulnerability-watcher Secunia rates this flaw as "highly critical" and says it has been confirmed on a fully-patched Windows XP Service Pack 2 system running Microsoft Excel 2003 SP2. But the advisory notes that other versions and products using the same vulnerable software components may also be affected.
The second Excel flaw earned an "extremely critical" rating from Secunia, it's most severe. Microsoft released an advisory with workarounds and other advice for how to mitigate the threat from this problem.
In addition, the SANS Internet Storm Center report on two sets of proof-of-concept code for a couple of other unpatched flaws in IE. One flaw could allow attackers to steal login credentials from other Web sites that a user is logged into -- such as Web-based e-mail. Secunia has posted an example that demonstrates how this attack might work.
The other set of proof-of-concept code published Tuesday exploits a potentially more serious flaw in IE that could let attackers deposit malicious programs on a target's Windows PC. SANS says this particular exploit "is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon."
I recommend that people avoid IE for everyday browsing precisely because of these types of zero-day attacks. That is not to say the Firefox or Opera or other browsers have fewer security flaws; if anything, the last year has shown them to have a greater number of flaws than IE.
However, as my own research has shown, the people responsible for maintaining these other browsers tend to a) fix problems a great deal faster than does Microsoft, and b) fix them before people release exploit code showing bad guys how to take advantage of them.
If you are a diehard IE fan, you would be well-advised to either operate the browser under a limited user account or via the "drop my rights" program -- this prevents malicious Web sites from installing nasty stuff using exploits like the ones described above. Or follow SANS's advice and take advantage of a free program like SandboxIE, which prevents Web sites from changing settings in IE or Windows.
As always, be extremely judicious about opening attachments sent to you in e-mail. If you're not sure whether you should open an e-mail attachment, it's a good idea to reply back to the sender and ask whether that person meant to send you the document, even if it appears to come from someone you know. Scan any attachments (especially Excel documents) with up-to-date anti-virus software before opening, though this defense alone may not protect you from a maliciously crafted document sent via a targeted attack on your organization.
Posted by: Juha-Matti Laurio | June 29, 2006 5:34 AM | Report abuse
Posted by: SandyK | June 29, 2006 2:06 PM | Report abuse
Posted by: Benjamin Duncan | July 19, 2006 11:18 AM | Report abuse
The comments to this entry are closed.