ARN

Months-old Excel exploit goes public

With the attack now widely available, patch ASAP, urges Symantec

Attack code that exploits a bug in Microsoft Excel went public last week, a security researcher said, prompting him to urge users to immediately apply a March 11 patch.

The exploit, which was posted to the milw0rm.com site last Friday, is the first made public for any of the seven vulnerabilities that were patched by Microsoft several days earlier in the security update tagged as MS08-014. That bulletin fixed multiple flaws in Excel 2000, 2002, 2003 and 2007 on Windows, and Excel 2004 and Excel 2008 on the Mac.

"The vulnerability that this exploit is designed to leverage was originally exploited in the wild on January 15, 2008," said Symantec security analyst Aaron Adams in an alert to customers of the company's DeepSight threat notification service. "We believe it leverages CVE-2008-0081 ... [and] involves the manipulation of an uninitialized stack variable by specially crafting an Excel file such that stack data will be pre-populated with user-supplied data and therefore able to influence the value of the uninitialized variable."

Microsoft labeled CVE-2008-0081 "critical" on Excel 2000, and "important" on Excel 2002 and 2003.

Microsoft first acknowledged the Excel bug more than two months ago, when it confirmed that hackers were attacking Windows machines via Excel. At the time, the company's security team characterized the attacks as "targeted and not widespread."

Once the attack code was publicly posted on Friday, Adams advised users to apply MS08-014 immediately. "This should be considered a high priority in light of the availability of exploit code," he said. "Additionally, users should be advised to carry out extreme caution when handling Excel files received online. If possible, Excel files should be filtered at the e-mail gateway until the updates can be applied."

The MS08-014 update was the same one that Microsoft had to re-release last week after it discovered one of the Excel fixes had produced a regression error that generated wrong results in some calculations.

Nominations for the 2012 ARN IT Industry Awards open on Tuesday, June 12.

More about: Gateway, Microsoft, Symantec, VIA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
ARN Directory | Distributors relevant to this article
Anyware Corporation , Aquion , ASI Solutions , Bluechip Infotech , Compucon Computers , Dicker Data , Express Data , Express Online , ICT Distribution , Impact Systems Technology , Leader Computers , Lynx Technologies , NewLease , Synnex Australia , Topstar Computer International , XiT Distribution , Xpress I.T.
ARN Directory | Vendors relevant to this article
Symantec
rhs_login_lockGet exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
Find distributors by name | vendor | location
Channel Deals
/deals/avg/213_avg-internet-security-3-pc-2-year-10-pack-reta
AVG (AU/NZ) Pty Ltd

AVG Internet Security 2012 10 Pack Retail Specials

More details »
ARN Vendor Directory
Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.