Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2009-009

DATE(S) ISSUED:
2/24/2009

SUBJECT:
A Vulnerability in Microsoft Excel Could Allow Remote Code Execution

OVERVIEW:

A new vulnerability has been discovered in Microsoft Office Excel, a spreadsheet-application written and distributed by Microsoft. This vulnerability can be exploited by opening a malicious Excel spreadsheet (.XLS) via email attachment, or by visiting a web site that is hosting a malicious Excel spreadsheet. Successful exploitation will result in the execution of arbitrary code with the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.

There is no patch available at this time.

SYSTEMS AFFECTED:

• Microsoft Office 2000
• Microsoft Office 2002
• Microsoft Office 2003
• Microsoft Office 2007
• Microsoft Office 2004 for Mac
• Microsoft Office 2008 for Mac
• Open XML File Format Converter for Mac

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been identified in all versions of Microsoft Excel that may allow remote code execution. There are currently no details as to what the specific cause of this vulnerability is. This vulnerability is caused by an invalid object reference that can be exploited by opening a malicious Excel spreadsheet (.XLS) via email attachment, or by visiting a web site that is hosting a malicious Excel spreadsheet. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Security vendors have identified a Trojan that exploits this vulnerability on the Internet. When executed, it opens a backdoor and attempts to connect to a remote site via port 80/TCP. Some anti-virus vendors currently detect this Trojan. Symantec detects this as Trojan.Mdropper.AC and McAfee detects this as Exploit-MSExcel.r Trojan, and the dropped files as BackDoor-DUE Trojan.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.

There is no patch available at this time.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Do not open email attachments from un-trusted sources.
• Ensure that all anti-virus software is up to date with the latest signatures.
• If applicable, follow Microsoft's suggested actions in their security advisory http://www.microsoft.com/technet/security/advisory/968272.mspx
• Install the appropriate vendor patch as soon as it becomes available after appropriate testing.
  

REFERENCES:
Microsoft:
http://blogs.technet.com/msrc/
http://www.microsoft.com/technet/security/advisory/968272.mspx

Security Focus:
http://www.securityfocus.com/bid/33870/info

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0238

McAfee:
http://www.avertlabs.com/research/blog/index.php/2009/02/24/dont-post-yetnew-excel-trojans-in-the-wild/

Secunia:
http://secunia.com/advisories/33954/

Copyright © 2010 - Privacy Policy - Contact Us