New Vulnerability Leaves Microsoft Office Open to Attack

Microsoft has confirmed that a new security flaw has been discovered in certain versions of its popular spreadsheet software Excel, which is part of the ubiquitous Microsoft Office productivity suite. The flaw allows maliciously crafted spreadsheet files, known as '.xls' files, to be used as a method to infect a computer system with a payload virus.

At the time of writing fully patched and up to date versions of Microsoft Excel 2000, Excel 2003, or Excel XP are vulnerable. As well as Excel 2004 and 2004 v. X for Mac. The security flaw requires that a user load a file that has been specifically made to infect a victim. The most likely method of infection will be via e-mail attachments. Users should be weary about any unsolicited spreadsheet files they receive by email. There is also a chance that an infected spreadsheet which is opened from a website can be used as an attack vector.

Like any file that a user receives all '.xls' files that are downloaded from the Internet should be scanned with one of many popular virus scanning programs. Be particularly weary of email attachments that you are not expecting. Most virus scanners have updated their databases to detect this virus.

The damage can be potentially mitigated if the user that accidentally opened the virus infected file was using an account that was not configured to have administrator rights on the system. The virus can only gain the same access rights as the user with this attack, any limitations the user has for security reasons are inherited by the virus. This can potentially limit the ability of the virus to properly install its payload trojan program.

Several versions of Excel are not vulnerable to this particular attack. These include the version with Microsoft Office 2007, and the Microsoft Works 2004, 2005, 2006 packages.

If an infected '.xls' file is opened the excel program will close immediately and unexpectedly. It creates a file called 'Top10.exe' in the default temporary directory, which is usually 'C:\windows\temp\'. This file is run after it is created by the virus installing the trojan package.

Microsoft has confirmed that it is aware of the problem but has not yet released a fix to close the hole. The virus that was found in the wild by security research companies installed a variant of 'BackDoor-CWA' trojan. This piece of software is used to gain remote access to the infected systems. It may be capable of checking in with a remote system to notify the attacker that another system is under their control. The trojan package also establishes it self in the system so that it is run when the computer starts and stays running disguising itself as an important system service.

Microsoft 'Microsoft Security Advisory (932553)' URL: http://www.microsoft.com/technet/security/advisory/932553.mspx
McAfee 'Exploit-MSExcel.h' URL: http://vil.nai.com/vil/content/v_141393.htm