More information about the new Excel vulnerability

This morning, we posted Security Advisory 968272 notifying of a new Excel binary file format vulnerability being exploited in targeted attacks. We wanted to share more information about the vulnerability to help you assess risk and protect your environment.

Office 2007 being targeted

The current attacks we have seen target users of Office 2007 running an earlier version of Windows (Windows 2000, XP, 2003). The exploit technique used in these attacks would not work on Windows Vista or earlier versions of Microsoft Office without substantial improvements made by attackers.

We analyze a lot of Office content type exploits and this is the first time we have seen a working exploit in-the-wild that is able to run code on Office 2007. It is always interesting to analyze the first exploit for a new platform, especially one that has held up without being exploited for several years. Note that this is in the legacy binary file format, not the newer XML format. The nature of this vulnerability, unfortunately, lends itself to easier exploitation on Office 2007 compared to earlier versions of Office. The routines that handle object destruction were changed in Office 2007 in a way that makes exploitation for code execution easier. The same vulnerable code is present in earlier versions of Office but will more likely result only in an application crash on those versions. It appears attackers are targeting Office 2007 running on Windows XP.

How to protect yourself

The security advisory lists a couple different workaround options:

1 – Turn on MOICE. MOICE converts the XLS to XSLX before opening. Again, the new XML file format is not susceptible to this vulnerability.

2 – Turn on FileBlock. This option is a little more disruptive to most environments. With FileBlock enabled, Excel will only open the new XML-based file format that is safer. It will not open the legacy binary file format. If your organization has switched over to using the new file format exclusively, this might be a great option, even just long enough for us to get a security update out to address the vulnerability.

– Jonathan Ness and Bruce Dang, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*