Excel 2007 exploit 'in the wild'

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

An UNpatched Excel security flaw is being exploited publicly.

According to Symantec, there’s an unfixed Excel security hole which makes vulnerable Excel 2007 (with or without Service Pack 1) and maybe other versions of Excel.

The Trojan is a variation on Mdropper which takes advantage of a ‘Remote code Execution’ flaw in Excel. Symantec is listing this as a low risk level but that might be raised if infected Excel files are widely released.

This means that a hacked Excel file can be opened on your computer (via email or a network) – that file could contain a program to give full access to your computer.

There are plenty of these security flaws in Microsoft Office but usually Microsoft patches the breach in their software before hackers take advantage. In this case it seems the hackers have beaten Microsoft and there are hacked Excel files out in public.

Naturally, Office Watch will keep an eye on this and update this page as we learn more.

For the moment here’s what is known / alleged (which isn’t a lot):

  • Excel 2007 (with or without Service Pack 1) is vulnerable
  • .xlsx Excel 2007 documents are probably NOT capable of being infected – but that’s NOT certain at this stage. See below.
  • Microsoft is now also listing the following Excel versions as vulnerable (though the list might change)

    • Excel 2000
    • Excel 2002 (XP)
    • Excel 2003
    • Excel 2007
    • Excel Viewer 2003
    • Excel Viewer
    • Compatibility Pack for Office 2007 file formats
    • Office 2004 for Mac
    • Office 2008 for Mac

  • Until we know otherwise, all Excel files (.xls and .xlsx) should be considered suspect.
  • Methods of distribution / details of any email are not known.
  • No word from Microsoft on risks or a possible patch but their reponse team is working on the problem as you read this.
  • It’s possible, but not certain, that existing anti-virus / mail scanning systems will detect infected Excel files.  While Mdropper is already known, this new variant might not be detected.

Hardly a lot of detail, we know. But the potential for infection is great, especially since Excel 2007 is (should be) more secure.

For the moment, please be careful opening any Excel files that come your way, especially if they are from unknown sources, are unexpected or come in curiously worded emails.

Microsoft’s Security Advisory has some ‘suggested actions’ like using Microsoft Office Isolated Conversion Environment (MOICE) or blocking the opening of Excel files via registy / policy changes.   That’s an option for network admins to consider however it has to be balanced against the distruption to work that blocking Excel files would mean.

The comments on the MOICE workaround seem to suggest that Microsoft beleives that Excel 2007 documents in .xlsx format are NOT affected (as opposed to .xlsm which can have macros in the worksheet).  However those comments are the standard text from MS for these occasions and almost certainly haven’t yet been specifically tested. 

We’re not trying to be alarmist – however when there’s an unpatched security hole in Office that’s being exploited publicly the prudent course for us is to assume the worst until more is known.

Watch this space …

subs profile e1563205311409 - Excel 2007 exploit 'in the wild'
Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address