Network News

X My Profile
View More Activity

Exploits Target Multiple Excel, IE Security Holes

Security researchers have released blueprints showing would-be attackers precisely how to exploit four unpatched security flaws in Microsoft Excel and Microsoft's Internet Explorer Web browser, at least two of which could be used by attackers to hijack vulnerable PCs.

Microsoft has acknowledged the existence of a pair of unpatched security flaws in Microsoft Excel, but said it has seen no signs of anyone exploiting them yet. However, if the past is any indicator, that may well change soon now that exploit code has been publicly released.

The first vulnerability for which exploit code is available involves a problem with the way Excel handles hyperlinks. The flaw could let hackers take over a vulnerable computer a user happens to open an Excel spreadsheet containing malicious code and then clicks on a link contained in the document.

An advisory from vulnerability-watcher Secunia rates this flaw as "highly critical" and says it has been confirmed on a fully-patched Windows XP Service Pack 2 system running Microsoft Excel 2003 SP2. But the advisory notes that other versions and products using the same vulnerable software components may also be affected.

The second Excel flaw earned an "extremely critical" rating from Secunia, it's most severe. Microsoft released an advisory with workarounds and other advice for how to mitigate the threat from this problem.

In addition, the SANS Internet Storm Center report on two sets of proof-of-concept code for a couple of other unpatched flaws in IE. One flaw could allow attackers to steal login credentials from other Web sites that a user is logged into -- such as Web-based e-mail. Secunia has posted an example that demonstrates how this attack might work.

The other set of proof-of-concept code published Tuesday exploits a potentially more serious flaw in IE that could let attackers deposit malicious programs on a target's Windows PC. SANS says this particular exploit "is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon."

I recommend that people avoid IE for everyday browsing precisely because of these types of zero-day attacks. That is not to say the Firefox or Opera or other browsers have fewer security flaws; if anything, the last year has shown them to have a greater number of flaws than IE.

However, as my own research has shown, the people responsible for maintaining these other browsers tend to a) fix problems a great deal faster than does Microsoft, and b) fix them before people release exploit code showing bad guys how to take advantage of them.

If you are a diehard IE fan, you would be well-advised to either operate the browser under a limited user account or via the "drop my rights" program -- this prevents malicious Web sites from installing nasty stuff using exploits like the ones described above. Or follow SANS's advice and take advantage of a free program like SandboxIE, which prevents Web sites from changing settings in IE or Windows.

As always, be extremely judicious about opening attachments sent to you in e-mail. If you're not sure whether you should open an e-mail attachment, it's a good idea to reply back to the sender and ask whether that person meant to send you the document, even if it appears to come from someone you know. Scan any attachments (especially Excel documents) with up-to-date anti-virus software before opening, though this defense alone may not protect you from a maliciously crafted document sent via a targeted attack on your organization.

By Brian Krebs  |  June 28, 2006; 2:09 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Now, It's the GAO's Turn for a Data Gaffe
Next: Microsoft Reissues Anti-Piracy Tool, Lawyers Sue

Comments

The format of Internet Storm Center Diary links is the following nowadays:
http://isc.sans.org/diary.php?storyid=1448

They changed the domain incidents.org to isc.sans.org in 2004, or even earlier. Link like isc.incidents.org/... works as well, but it's better to use recent domain name.

Posted by: Juha-Matti Laurio | June 29, 2006 5:34 AM | Report abuse

The good thing about MS is the workaround/fixes are fast. And if it's not an ad hoc fix update, there's always Tech Tuesdays.

Now let's see if Firefox will plug their memory problem. You know the one that makes AJAX a liability with that browser with 50+MB per window memory usage? You know one that their bug team declares a cosmetic problem and not worthy of earmarked time to fix? Just keep the browser crashing then, I'm sure FF users just love to reserve like 400MB of memory for it's tabbed browser while they surf Google, too. :rolleyes:

SandyK

Posted by: SandyK | June 29, 2006 2:06 PM | Report abuse

Thank you for the advice Mr Brain. But I think this is just the beginning to things to come. We just all have to educate ourselves, to protect ourselves, and to be free. I intend to do just this.

Posted by: Benjamin Duncan | July 19, 2006 11:18 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company