MS-ISAC ADVISORY NUMBER:
2009-009 Updated

DATE(S) ISSUED:
2/24/2009
4/14/2009 - UPDATED
6/9/2009 - Updated

SUBJECT:
Vulnerability in Microsoft Excel

ORIGINAL OVERVIEW:

A new vulnerability has been discovered in Microsoft Office Excel, a spreadsheet-application written and distributed by Microsoft. This vulnerability can be exploited by opening a malicious Excel spreadsheet (.XLS) via email attachment, or by visiting a web site that is hosting a malicious Excel spreadsheet. Successful exploitation will result in the execution of arbitrary code with the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.

There is no patch available at this time.

April 14 UPDATED OVERVIEW:
Microsoft has released a patch for this vulnerability.

June 9 UPDATED OVERVIEW:
Microsoft has released an additional patch for this vulnerability.

SYSTEMS AFFECTED:

  • Microsoft Office 2000
  • Microsoft Office 2002
  • Microsoft Office 2003
  • Microsoft Office 2007
  • Microsoft Office 2004 for Mac
  • Microsoft Office 2008 for Mac
  • Open XML File Format Converter for Mac

April 14 UPDATED SYSTEMS AFFECTED:

  • Microsoft Office Excel Viewer
  • Microsoft Office Compatibility Pack Service Pack 1

June 9 UPDATED SYSTEMS AFFECTED:

  • Excel Services in Microsoft Office SharePoint Server 2007
  • Microsoft Office Compatibility Pack Service Pack 2

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been identified in all versions of Microsoft Excel that may allow remote code execution. There are currently no details as to what the specific cause of this vulnerability is. This vulnerability is caused by an invalid object reference that can be exploited by opening a malicious Excel spreadsheet (.XLS) via email attachment, or by visiting a web site that is hosting a malicious Excel spreadsheet. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Security vendors have identified a Trojan that exploits this vulnerability on the Internet. When executed, it opens a backdoor and attempts to connect to a remote site via port 80/TCP. Some anti-virus vendors currently detect this Trojan. Symantec detects this as Trojan.Mdropper.AC and McAfee detects this as Exploit-MSExcel.r Trojan, and the dropped files as BackDoor-DUE Trojan.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.

There is no patch available at this time.

April 14 UPDATED DESCRIPTION:
Microsoft has released a patch for this vulnerability.

June 9 UPDATED DESCRIPTION:
Microsoft has released an additional patch for this vulnerability.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments from un-trusted sources.
  • Ensure that all anti-virus software is up to date with the latest signatures.
  • If applicable, follow Microsoft's suggested actions in their security advisory http://www.microsoft.com/technet/security/advisory/968272.mspx(New Window)
  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

April 14 UPDATED RECOMMENDATIONS:

  • Apply the appropriate patch to vulnerable systems immediately after appropriate testing.

June 9 UPDATED RECOMMENDATIONS:

  • Apply the new patch to vulnerable systems immediately after appropriate testing even if the previous patch was applied.

ORIGINAL REFERENCES:
Microsoft:
http://blogs.technet.com/msrc/(New Window)
http://www.microsoft.com/technet/security/advisory/968272.mspx(New Window)

Security Focus:
http://www.securityfocus.com/bid/33870/info(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0238(New Window)

McAfee:
http://www.avertlabs.com/research/blog/index.php/2009/02/24/dont-post-yetnew-excel-trojans-in-the-wild/(New Window)

Secunia:
http://secunia.com/advisories/33954/(New Window)

April 14 UPDATED REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS09-009.mspx(New Window)

June 9 UPDATED REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS09-021.mspx(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0549(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0557(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0558(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0559(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0560(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0561(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1134(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.