Matt Nelson at Specter Ops has found a new way for hackers to use Excel to access your computer. Even disabling VBA won’t fix this security hole.
It uses a technique called ‘Lateral Movement‘ within Microsoft’s DCOM (Distributed Component Object Model).
Matt explains it all in great detail but for the rest of us it means this:
A hacker can use Excel to run a malicious macro on a remote computer, even if VBA has been disabled as in the Group Policy.
Excel is available via Microsoft’s DCOM with no specific launch or access permissions so the default permissions are used. The default DCOM permission is, wait for it, Administrator access – oy! With that access, a hacker can use Powershell to start Excel remotely.
The malicious macro can be saved to the remote computer and, with a little more trickery, Excel will run that macro. In the example, only the Windows Calculator is run but any program can be started.
What can you do?
This exploit is just theoretical at this time. It’s a way for a hacker to spread nasty software through an organization or local network.
Here’s some suggestions for blocking the exploit however we do NOT recommend making these changes. Altering the permissions, especially the DCOM defaults, could cause ‘collateral damage’.
- Change the Launch and Access permissions for Excel.Application object and other Office objects via dcomcnfg.exe
- Change the default remote Launch/Access permissions for all DCOM objects also via dcomcnfg.exe
- Check the Local Administrators and reduce to a minimum.
- Set Windows Firewall to block external access
