| Author |
Topic: MS Excel 'Zero-Day' Flaw and Workarounds |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 20 Jun 2006 7:14 am |
|
If you use or download Microsoft Excel spreadsheets online you should read this!
Microsoft Security Advisory (921365)
- Title: Vulnerability in Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/921365.mspx
- Revision Note: Advisory Published: June 19, 2006
Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker.
Opening the Excel document out of email will prompt the user to be careful about opening the attachment.
As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit this vulnerability.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
I have posted a series of recommended workarounds, and further details about the nature of this vulnerability on my blog. The workarounds are in the extended comments.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices
|
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 21 Jun 2006 7:39 am
|
|
I wonder if it's related to Jan/Feb 1900 bug. Click here for the whole story.
------------------
 Bobby Lee
-b0b- quasar@b0b.com
System Administrator
My Blog |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 22 Jun 2006 8:30 am
|
|
The "bug" has nothing to do with the year 2000.
Here are two reports about unpatched Excel flaws from Secunia.
1: Microsoft Excel Repair Mode Code Execution Vulnerability http://secunia.com/advisories/20686/
Secunia Advisory: SA20686
Advisory Release Date: 2006-06-16
Last Update: 2006-06-20
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Software:
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel Viewer 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP
CVE reference: CVE-2006-3059
Description:
A vulnerability has been discovered in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a memory corruption error in the "repair mode" functionality used for repairing corrupted documents. This can be exploited via a specially crafted Excel documents.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected.
NOTE: This vulnerability is a so-called 0-day and is already being actively exploited.
Solution:
Don't open untrusted Excel documents.
The vendor has published various workarounds (see vendor advisory).
Provided and/or discovered by:
Discovered in the wild.
Changelog:
2006-06-20: Added additional information from Microsoft. Added CVE reference. Updated "Solution" section by referring to vendor workarounds.
Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/921365.mspx http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
2: Microsoft Windows Hyperlink Object Library Buffer Overflow http://secunia.com/advisories/20748/
Secunia Advisory: SA20748
Advisory Release Date: 2006-06-20
Last Update: 2006-06-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference: CVE-2006-3086
Description:
kcope has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully patched Windows XP SP2 system running Microsoft Excel 2003 SP2. Other versions and products using the vulnerable library may also be affected.
Solution:
Do not open untrusted Microsoft Office documents.
Do not follow links in Microsoft Office documents.
Provided and/or discovered by: kcope
Changelog:
2006-06-22: Added CVE reference. Added link to US-CERT vulnerability note. Added various Windows versions as vulnerable instead of Office products.
Original Advisory:
Microsoft: http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Other References:
US-CERT VU#394444: http://www.kb.cert.org/vuls/id/394444
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices
|
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 22 Jun 2006 9:40 am
|
|
So what does the term "zero-day" refer to?
In Microsoft Basic, day 0 is Dec 31, 1899. In Excel, day 0 is Jan 1, 1900. This flaw/patch seems to have nothing to do with the actual zero day of Excel.
------------------
Bobby Lee
-b0b- quasar@b0b.com
System Administrator
My Blog |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 22 Jun 2006 10:04 am
|
|
| Quote: |
| NOTE: This vulnerability is a so-called 0-day and is already being actively exploited. |
The Zero Day referred to in security alerts means that there was no time delay between the public announcement of a vulnerability and exploits found in the wild (on blackhat hacker websites). With flaws being exploited almost the same day as their discovery is publicized doesn't allow the software vendor any time to create a patch before the public is in severe danger.
These two Excel vulnerabilities were publicized right after Microsoft released 12 critical patches, on June 13. This was no coincidence. The folks who found the flaws publicized them to gain notoriety, without giving Microsoft advance notification. This gives the hackers a full month to exploit the vulnerabilities before the next monthly patch cycle.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices
|
|
|
|
b0b
From:
Cloverdale, CA, USA
|
Posted 22 Jun 2006 12:14 pm
|
|
| Sounds like a shady business practice to me. |
|
|
|
