Malicious Excel Documents Contain Unwelcome Surprises

Summary:

• These vulnerabilities affect: All current versions of Excel shipping with Microsoft Office, and ancillary Office products (like Excel Viewer)
• How an attacker exploits them: By enticing you to open maliciously crafted Excel documents
• Impact: An attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Excel patch immediately, or let Microsoft’s Automatic Update do it for you.

Exposure:

Today, Microsoft released a security bulletin describing seven vulnerabilities found in Excel, a component that ships with Microsoft Office. The vulnerabilities affect all current versions of Office for Mac and PC, as well as ancillary Office components, such as Excel Viewer and Office compatibility packs. They even affect Microsoft Sharepoint Server.

Though the seven vulnerabilities differ technically, they share the same basic scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Excel document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Although this type of attack requires some user interaction (which is why Microsoft only rates it as Important), we suspect that your users interact with Office documents quite regularly. An attacker could probably easily convince many users to open a malicious Excel document, so we recommend you apply this Excel update immediately.

Solution Path

Microsoft has released an Excel update to correct these vulnerabilities. You should download, test, and deploy the appropriate patch throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

MS10-017:

Excel update for:

• Office XP w/SP3
• Office 2003 w/SP3
• 2007 Microsoft Office System w/SP1
• Office Excel Viewer
• Office 2004 for Mac
• Office 2008 for Mac
• Open XML File Format Converter for Mac
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
• Microsoft Office SharePoint Server 2007
• Microsoft Office SharePoint Server 2007 64-bit Edition

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Excel documents, some organizations need to allow them in order to conduct business. Therefore, the patches above are your best recourse.

If you want to block Excel documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features by the .xls file extensions. Keep in mind, blocking files by extension blocks both malicious and legitimate documents.

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy
• Firebox X Core and X Peak running Fireware 10.x or Fireware XTM
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released an Excel update to fix these vulnerabilities.

References:

• MS Security Bulletin MS10-017