“Zero-day” Excel flaw used to hijack corporate, govt. systems

For the second time in the past five days, security researchers are warning that hackers are exploiting a critical unpatched vulnerability in widely-used software.

Attackers are exploiting a “zero-day,” or unfixed, flaw in Microsoft Corp.’s popular Excel spreadsheet, using the bug to hijack select systems in Asia, many of them in government offices and high-profile corporations, said Vincent Weafer, vice president of Symantec Corp.’s security response group.

The newest vulnerability, which is in all supported versions of Excel, including the latest — Excel in Office 2007 on Windows and in Office 2008 for the Mac — is in the program’s file format, said Weafer.

“This is very similar to the Adobe [Reader] vulnerability we found earlier in that it’s being used as a targeted threat,” said Weafer.

He said Symantec’s researchers first came across attack code yesterday, and reported their findings to Microsoft the same day.

Today, Microsoft issued a security advisory with more information about the bug; that’s typically a first step toward releasing a patch when a vulnerability goes public.

Microsoft spokesman Bill Sisk downplayed the threat to most users, repeating Weafer’s comment that attacks have been seen in only limited numbers. But he promised that the company would patch the problem.

“Microsoft is currently working to develop a security update for Microsoft Office that addresses this vulnerability and will release it after it has completed testing,” he said in an e-mail.

According to Microsoft’s advisory, Excel 2000, 2002, 2003 and 2007 on Windows, and Excel 2004 and 2008 on Mac OS X, are affected by the vulnerability.

Until a patch is produced, Microsoft said users could protect themselves by blocking Excel files from opening, a process that requires editing the Windows registry, normally a chore that’s beyond the ability of most users.

Alternately, users can run Excel 2003 documents through the Microsoft Office Isolated Conversion Environment (MOICE), a tool the company launched in 2007 that converts those files into the more-secure Office 2007 formats to strip out possible exploit code.

It’s not clear how effective MOICE will be in stymieing attacks, however, since the exploit now circulating was crafted with Excel 2007 in mind, said Weafer. According to additional analysis by Symantec, the exploit works on PCs running that version of Excel but fails against earlier editions.

Hackers are using the Excel bug to deliver a Trojan horse to targeted machines, added Weaver. The Trojan acts as a downloader that is capable of retrieving and installing additional malware on the hijacked computer.

Adobe Reader flaw

Weafer declined to draw a line between the recent zero-day dots. He noted that attacks come in waves.

This is true, not just of the Excel flaw – but also of the recent Adobe Reader unpatched vulnerability which hackers exploited for several days in a similar fashion.

In that case, now that the exploit code has gone public, experts expect to see attacks to quickly increase.

The critical bug in Adobe Reader, the popular PDF-viewing software was reported this to Adobe on Feb. 12, according to Kevin Haley, a director in Symantec Corp.’s security response group.

“That was the same day that we had a sample of the exploit.”

Attacks were spotted in Asia, primarily in Japan, said Haley, as well as in a few other countries. But their small number led him to characterize them as “targeted,” meaning the victims had been specially selected.

“But this [bug] is not hard to exploit,” he added, indicating that Symantec expects the attacks to spread.

So does Andrew Storms, director of security operations at nCircle Network Security Inc. “If the history of Adobe Reader vulnerabilities shows us anything, it’s probably just a number of days before this takes off,” Storms said.

In a security advisory last week, Adobe acknowledged the bug and the ongoing attacks, and said that both Reader and Acrobat, an advanced PDF-creation and edit application, are vulnerable. Versions 7, 8 and 9 of both programs, and on all platforms, contain the flaw, the company confirmed.

Adobe Reader, by far the more popular of the two applications, is available for Windows, Mac OS X and Linux.

Adobe plans to patch Reader 9 and Acrobat 9 — the most current versions — by March 11, and will then follow with fixes for Reader/Acrobat 8 and Reader/Acrobat 7, in that order. It did not spell out a timetable for updates to Versions 7 and 8, however.

In the meantime, both Haley and Storms expect hackers to take advantage of the bug, possibly by integrating new attack code into the multistrike exploit kits that are frequently used by cybercriminals to launch attacks against users who are duped into visiting malicious Web sites.

“There’s no reason to think that that won’t happen,” he said. “Reader is a very popular application.”

The in-the-wild attacks trigger the bug with a Trojan horse that Symantec has pegged “Pidief.e,” which then installs several additional components to open a backdoor on the compromised computer.

That backdoor can later be used to inject additional malware into the machine.

Attacks could be initiated by spam messages that trick users into clicking through to a malicious site, or by packing exploit code in a file attachment.

Although neither Adobe nor Symantec provided details of the vulnerability, the Shadowserver.org site posted a partial analysis that claimed the bug was in a non-JavaScript function call.

“I had completely expected that this would be yet another JavaScript vulnerability in Reader,” said Storms, who has blasted Adobe in the past for what he has called an “epidemic” of JavaScript bugs.

Shadowserver.org’s write-up recommended that users disable JavaScript in Reader and Acrobat because, although the flaw is not in that code, turning off the feature helps protect against the current exploit.

“The exploit can be effectively mitigated by disabling JavaScript,” said Shadowserver. “In this scenario, Adobe [Reader] will still crash, but the required heap spray will not occur and code execution is not possible.”

Storms had no better advice, but wondered if that would be enough.

“What do we do in the meantime, between now and March 11, when Adobe patches this?” he asked. “Is the [disabling JavaScript] mitigation a good step or the only step? Without a look at the exploit, we can’t be sure.”

To disable JavaScript in Adobe Reader, Windows users should select “Preferences” from the Edit menu, then click on “JavaScript” in the ensuing list and uncheck the box marked “Enable Acrobat JavaScript.” Mac users will find Preferences under the “Adobe Reader” menu.

Adobe Reader and Acrobat are no strangers to exploits. Last November, attackers jumped on a just-patched vulnerability in Reader 8.1.3 within days.

Source: Computerworld.com

Share on LinkedIn Share with Google+