MS-ISAC ADVISORY NUMBER:
2009-009 Updated

DATE(S) ISSUED:
2/24/2009
4/14/2009 - Updated

SUBJECT:
A Vulnerability in Microsoft Excel Could Allow Remote Code Execution

ORIGINAL OVERVIEW:

A new vulnerability has been discovered in Microsoft Office Excel, a spreadsheet-application written and distributed by Microsoft. This vulnerability can be exploited by opening a malicious Excel spreadsheet (.XLS) via email attachment, or by visiting a web site that is hosting a malicious Excel spreadsheet. Successful exploitation will result in the execution of arbitrary code with the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.

There is no patch available at this time.

UPDATED OVERVIEW:
Microsoft has released a patch for this vulnerability.

SYSTEMS AFFECTED:

  • Microsoft Office 2000
  • Microsoft Office 2002
  • Microsoft Office 2003
  • Microsoft Office 2007
  • Microsoft Office 2004 for Mac
  • Microsoft Office 2008 for Mac
  • Open XML File Format Converter for Mac

UPDATED SYSTEMS AFFECTED:

  • Microsoft Office Excel Viewer
  • Microsoft Office Compatibility Pack Service Pack 1

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been identified in all versions of Microsoft Excel that may allow remote code execution. There are currently no details as to what the specific cause of this vulnerability is. This vulnerability is caused by an invalid object reference that can be exploited by opening a malicious Excel spreadsheet (.XLS) via email attachment, or by visiting a web site that is hosting a malicious Excel spreadsheet. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Security vendors have identified a Trojan that exploits this vulnerability on the Internet. When executed, it opens a backdoor and attempts to connect to a remote site via port 80/TCP. Some anti-virus vendors currently detect this Trojan. Symantec detects this as Trojan.Mdropper.AC and McAfee detects this as Exploit-MSExcel.r Trojan, and the dropped files as BackDoor-DUE Trojan.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.

There is no patch available at this time.

UPDATED DESCRIPTION:
Microsoft has released a patch for this vulnerability.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments from un-trusted sources.
  • Ensure that all anti-virus software is up to date with the latest signatures.
  • If applicable, follow Microsoft's suggested actions in their security advisory http://www.microsoft.com/technet/security/advisory/968272.mspx(New Window)
  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

UPDATED RECOMMENDATIONS:

  • Apply the appropriate patch to vulnerable systems immediately after appropriate testing.


REFERENCES:
Microsoft:
http://blogs.technet.com/msrc/(New Window)
http://www.microsoft.com/technet/security/advisory/968272.mspx(New Window)

Security Focus:
http://www.securityfocus.com/bid/33870/info(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0238(New Window)

McAfee:
http://www.avertlabs.com/research/blog/index.php/2009/02/24/dont-post-yetnew-excel-trojans-in-the-wild/(New Window)

Secunia:
http://secunia.com/advisories/33954/(New Window)

UPDATED REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS09-009.mspx(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.