Unpatched Excel Flaw Surfaces, Attacks Made

Hard on the heels of Tuesday's massive security update, on Thursday Microsoft disclosed that an attack is in play which exploits an unpatched bug in the popular Excel software.

The attack allowed hackers to hijack PCs.

According to a posting on the Microsoft Security Response Center blog, one customer was hit with a targeted attack via malicious Excel spreadsheets attached to e-mail messages. The MSRC, however, was skimpy with details.

"Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," wrote Mike Reavey, an MSRC program manager. "Note that opening it out of email will prompt you to be careful about opening the attachment. So remember to be very careful opening unsolicited attachments from both known and unknown sources."

Symantec, however, had more information.The attack is carried out, said the Cupertino, Calif. security company, by the Mdropper.j Trojan horse, which takes advantage of an undocumented Excel bug to drop the Booli.a downloader onto the compromised system. Mdropper.j is disguised as an Excel file, complete with the .xls file extension. Booli.a acts as a backdoor, giving the attacker complete access to the PC, and will let him introduce other malicious software, such as keyloggers, or use the machine as a spam zombie.

Symantec said that Mdropper.j successfully attacks Excel 2003 SP2 on a fully-patched Windows XP SP2 system, and may be able to exploit other versions of Excel and Windows. It may even work against Word XP.

That last may indicate a link between this newest zero-day vulnerability and the one which was used by hackers in May to attack several editions of Microsoft Word, including Word XP. That flaw was only fixed Tuesday.

Microsoft's Reavey didn't spell out a plan for patching the bug, but did say that detection for the Trojan horse has been added to the free-of-charge (and in beta) Windows Live Safety Center.

Other than to tell them to "avoid opening Excel documents wherever possible," Symantec didn't have much advice for users. Not surprisingly, it was not as cavalier as was Microsoft, which only said that it was working with anti-virus partners to put signatures in place."At the time of writing, exploitation of this issue in the wild is known to occur only as part of a targeted attack," Symantec said in an alert issued through its DeepSight Threat Management System on Friday. "However, with the disclosure of this previously unknown vulnerability, new attackers may begin to exploit it in a widespread manner."

Other security organizations rang the alarm on the bug as well. Danish vulnerability tracker Secunia, for example, tagged the Excel flaw as "extremely critical," its highest warning rank.

Herndon, Va.-based Secure Elements, meanwhile, rated the threat as a "10" in its 1 through 10 scale.

"I am sure it is not by accident that this was timed to be deployed immediately after Microsoft patch Tuesday," said Scott Carpenter, director of Secure's security labs, in a statement. "In recent similar attacks, Microsoft has not issued an out of cycle patch. The exploit's immediate release after patch Tuesday is evidently designed to take advantage of a full month before Microsoft is scheduled to patch [again]."