Thursday, March 13, 2008 11:17 AM cmosby

Websense® - Security Labs Alert: Websense Discovers Microsoft Excel High-risk Zero-day Vulnerability - Patch Released

 

March 10, 2008

Informational Alert:   Websense Discovers Microsoft Excel High-risk Zero-day Vulnerability - Patch Released

Websense® Security Labs™ has discovered a high-risk, zero-day vulnerability (Excel Conditional Formatting Vulnerability – CVE-2008-0117) within Microsoft Office Excel.
This vulnerability, discovered by Websense in November 2007, requires minimal user interaction. Exploit code can be embedded within Microsoft Excel files and launched upon opening an Excel document. This code could be launched over email, through a Web site, or using another, less common method. Upon discovery, Websense disclosed this important vulnerability to Microsoft. The vulnerabilty has been patched in
 Microsoft Security Bulletin MS08-014.

All addressed vulnerabilities in Microsoft Security Bulletin MS08-014:
Excel Data Validation Record Vulnerability – CVE-2008-0111
Excel File Import Vulnerability – CVE-2008-0112
Excel Style Record Vulnerability – CVE-2008-0114
Excel Formula Parsing Vulnerability – CVE-2008-0115
Excel Rich Text Validation Vulnerability – CVE-2008-0116
Excel Conditional Formatting Vulnerability – CVE-2008-0117
Macro Validation Vulnerability – CVE-2008-0081
Note: Microsoft Excel 2002 and earlier versions are affected.

Because several targeted attacks have used Microsoft Office vulnerabilities, we recommend that users patch their machines.

Websense ThreatSeeker™ technology is actively searching for in-the-wild exploits. Websense automatically protects customers upon discovery. Websense has not seen CVE-2008-0117 in the wild as of yet however CVE-2008-0081 has been confirmed to have been used.

We have created a video to show how this vulnerability could potentially be used in the wild. The video contains a proof of concept exploit on a Windows XP machine running an unpatched version of Excel. In this video, the user receives an exploited Excel file via email. The user manually opens it, and the machine is exploited automatically.

For the purpose of visualization, our exploit executes Solitaire. However, a malicious exploit could execute arbitrary code.
Proof of concept video: Link
Large AVI movie example: Link
YouTube video: Link

References:
March 2008 bulletin summary
Microsoft Security Bulletin MS08-014 - Critical
CVE-2008-0117

Source: Websense® - Security Labs Alert: Websense Discovers Microsoft Excel High-risk Zero-day Vulnerability - Patch Released

Filed under: , , ,

Comments

No Comments