A vulnerability has been discovered in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unknown error within the processing of specially crafted Excel documents.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected.
NOTE: This vulnerability is a so-called 0-day and is already being actively exploited.
Solution:
Don't open untrusted Excel documents.
US-CERT Technical Cyber Security Alert TA06-167A (http://www.kb.cert.org/vuls/id/802324)
[Quoted sources - Secunia & UNIRAS]
ETR ... Hope you don't mind, I edited your link to remove the ">" at the end that made it unable to open ...
While doing so, I found another reference here: http://www.us-cert.gov/cas/techalerts/TA06-167A.html
:P
Quote from: winchester73 on June 20, 2006, 12:27:00 AM
ETR ... Hope you don't mind, I edited your link to remove the ">" at the end that made it unable to open ...
Not at all Matey! Thanks for tidying it up. On a more sober note, the exploit code was published to the wild on June 22nd. As a result we can expect to see a rash of trojans that will exploit the Excel vulnerability. To date the most informative site that I have found is the Securiteam blog (http://blogs.securiteam.com/index.php/archives/451)
:?
Here's the Microsoft Security Response Blog Report: Information on Proof of Concept posting about hlink.dll (http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx)
In part:
First, I want to be clear that this proof of concept code and not an attack. We're not aware of any attacks based on this code based on our work with our Microsoft Security Response Alliance partners.
Second, our investigation so far has shown that while the posting claims this is a vulnerability in Excel, it actually is a vulnerability in hlink.dll which is a Windows component that handles operations involving hyperlinks. Any attempt to exploit this vulnerability would require convincing a user to open a specially-crafted Excel document. The user would then also have to locate and click on a specially-crafted long link in that document. We have not found any way to attempt to exploit this vulnerability that involves simply opening a document: a user must locate a click a hyperlink in the document.
As a reminder, it's important to make sure that you only accept and open files from a trusted source, as well as be careful what websites you visit.
SANS update from http://www.incidents.org/diary.php?storyid=1444
QuoteExcel Issue Scorecard
Published: 2006-06-25,
Last Updated: 2006-06-25 01:00:02 UTC by Kevin Liston (Version: 2(click to highlight changes))
To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation. This information comes from Microsoft, Mitre, and vigilant readers sending in tips. My thanks go to all.
CVE-2006-3059 aka "Excel Repair Mode" http://www.microsoft.com/technet/security/advisory/921365.mspx
Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B
CVE-2006-3086 aka "Long Hyperlink" http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Exploited by: Urxcel.A, and three known public exploit code examples
CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A
The workaround is a killbit
. . . and "An update on recent public issues" (http://blogs.technet.com/msrc/archive/2006/06/24/438657.aspx) from the Microsoft Security Response Center Blog:
QuoteWe've had several questions regarding some recent issues that have affected Microsoft Excel over the last week. So, I thought I'd take a minute to review each, what the security impact could be for each issue, and what we're doing to resolve the issues.
We're currently investigating three issues that have mentioned Microsoft Excel. The first one involves a vulnerability in Microsoft Excel itself. This issue has been assigned vulnerability identifier CVE-2006-3059. (The vulnerability identifiers are included within all of our security bulletins and security advisories and are a great way to help differentiate issues.) We released Security Advisory 921365 on Monday that has a full overview of this vulnerability, along with mitigations and workarounds. A couple key points - customers using Excel 2002 (included with Office XP) or Excel 2003 (included with Office 2003) will be warned before opening the attachment from an e-mail or a Web page, so remain careful when opening unsolicited files. Also, in the advisory there are instructions on how to modify the Access Control List (ACL) of a registry key that can block exploitation on Excel 2003. We've reached out to our partners in the MSRA and are sharing generic detection information for the vulnerability itself. The Office product team is currently testing updates that resolve the issue, and we expect to have it ready for release on or before July 11th.
Another issue was reported early this week that we discussed in the following post: http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx. This vulnerability has been assigned vulnerability identifier CVE-2006-3086. The vulnerability is in a Windows component, Hlink.dll, however it affects customers that open a specially crafted office document, and then click on a hyperlink within that document. Customers using Office XP or Office 2003 will get the same prompts as with CVE-2006-30059 when opening documents, so once again, being cautions when opening Office documents helps here as well. However, in our testing of the public posting we've seen that after the document is opened, for an attack to be successful, a user would still need to click on a link within that document and will be given a second prompt asking if the user does in fact intend on navigating to that destination. While the dialog doesn't present a security-specific warning, the destination will include attack code, and does not look like a legitimate destination. So some social engineering would be required to make this attack successful. However, the fact that social engineering is required hasn't stopped us from working quickly. We're currently testing a fix for this issue and are investigating workarounds for customers.
The third was reported on Tuesday and that issue involves a method that allows an ActiveX control to be loaded within an Office document. The public posting on this has an example that involves an Excel document, so some folks may confuse this with the two issues above. This behavior is by design and by itself does not represent a security risk to customers. However, an attacker could use this functionality to automatically load a vulnerable ActiveX control already present on a user's system through an Office document. It is important to note that this is not a vulnerability and recent versions of Office respect the "Killbit" functionality of Windows that prevents vulnerable ActiveX controls from loading once they have received a kill bit through a Microsoft Security Bulletin. We're not aware of any vulnerable ActiveX controls that could allow remote code execution in this context or of attempts to use this method of attack or of customer impact at this time. We will continue to investigate the public reports to help provide additional guidance for customers as necessary.
--Mike
(I'm waiting for an update to be posted on the MS Blog by Aaron ;) )