Patch/Configuration Management, Vulnerability Management

Post-Patch Tuesday zero-day exploit targeting Microsoft Excel

Microsoft Excel users were told this week to beware of zero-day attacks taking advantage of a newly discovered vulnerability in the ultra-popular spreadsheet program.

Just a few days after Microsoft released its monthly Patch Tuesday security bulletin, Mike Reavy of the Microsoft Security Response Center said on a company blog that it had "received a single report from a customer being impacted by an attack using a new vulnerability in Microsoft Excel."

"Here’s what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," he said. "So remember to be very careful opening unsolicited attachments from both known and unknown sources."

The company has added detection capabilities to the Windows Live Safety Center and is now sharing information with other Microsoft Security Response Alliance partners.

The flaw, which can allow execution of arbitrary code, is caused by to an unknown error within the processing of specially crafted Excel documents, according to vulnerability monitoring firm Secunia.

The SANS Internet Storm Center today named the exploit Trojan.Mdropper.J, which uses the flaw to drop Downloader.Booli.A.

When Downloader.Booli.A, once executed, attempts to run Internet Explorer (IE) and inject its code into IE to bypass firewalls before downloading files.

The malware then saves the file and executes an .exe file. Before exiting, the malware creates another empty file, bool.ini, according to SANS.

Scott Carpenter, director of security labs at Secure Elements, said Friday that the exploit’s release date was no fluke.

"I am sure it is not by accident that this virus was timed to be deployed immediately after Microsoft Patch Tuesday," he said in a statement. "In recent similar attacks, Microsoft has not issued an out-of-cycle patch. The exploit’s immediate release after Patch Tuesday is evidently designed to take advantage of a full month before Microsoft is scheduled to patch it."

Microsoft confirmed this week that exploits are in the wild for a number of the flaws that were patched earlier this week.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.