Microsoft Excel users are facing a new security threat as a completely new vulnerability has been discovered in the application. Moreover, malicious codes capable of exploiting this security flaw have been widely disseminated on the Internet.
Meanwhile, Microsoft is also working to address another recently discovered security flaw that was reported last week. Exploit codes for this security issue have also surfaced.
On June 19, security firm Symantec issued a warning stating that the new vulnerability in MS Excel could cause the application to crash if a user opens a malicious file. Symantec also indicated that the risk of this vulnerability being used to gain control over a user’s system is entirely possible. “Attackers could execute binary codes … but this has not been definitively confirmed.”
The latest vulnerability stems from Excel’s inability to accurately verify the source of user input before copying this content into memory. Excel 2003, Excel XP, and several other versions are affected by this security flaw, according to Symantec.
Security firm Secunia has classified this vulnerability as “extremely dangerous,” just one level below the highest severity rating in their security scale.
Meanwhile, exploit codes for this vulnerability have been widely released on the Internet. However, Secunia confirmed that it has not detected any attacks exploiting this vulnerability thus far.
Microsoft is currently reviewing this issue, and a company representative confirmed this yesterday. “Based on our research, we confirm that this is a new vulnerability in Microsoft Windows. This flaw could be exploited if a user clicks on a link in Office documents,” the representative stated. “However, Microsoft has not detected any attacks exploiting this vulnerability.”
Thus, the latest vulnerability in Excel has been discovered while Microsoft is working to fix another security flaw. The flaw identified last week could be exploited by attackers to gain full control of affected systems. More seriously, this vulnerability has already been used in a targeted cyberattack.
To exploit these two new vulnerabilities, an attacker must create a malicious Excel file and host this webpage on a web server, then send the file via email or find another way to provide it to their intended victims. The attack can only succeed if the victim opens the malicious file on the vulnerable systems.
Both of these security vulnerabilities were discovered and disclosed the day after Microsoft released its monthly security updates. Microsoft stated that it is developing patches for the vulnerabilities in Excel.
However, experts believe that Microsoft may only be able to release patches for these vulnerabilities along with next month’s security update. It is rare for Microsoft to release patches outside of this scheduled time.
On June 19, Microsoft also announced several tips for users to protect themselves against initial exploit attempts. Microsoft recommends that users be cautious when opening Excel files and block attachments from emails or change PC settings to prevent Excel from opening spreadsheet attachments.
For Excel 2003, Microsoft advises users not to allow the application to run in “repair mode” since this vulnerability is exploited through this mode.
Hoàng Dũng
