Another Malformed String Exploit Plagues Excel

By Scott M. Fulton, III, BetaNews

February 5, 2007, 12:24 PM

This morning, Microsoft acknowledged the discovery of a new and active exploit involving a malformed string that can trigger a typical overflow in Excel, with the usual bypassing of privilege dangers that ensue. Although the company says the attacks it has seen thus far appear limited and targeted, it’s repeating its warning to users not to open spreadsheets sent in e-mails from untrusted users.

Contrary to some interpretations, this is not an Outlook problem. = Instead, it appears to involve spreadsheets that contain intentionally malformed records where the image data for embedded bitmaps in a record, or IMDATA, have been malformed to trigger buffer overflows.

What has not yet been made clear -– for obvious reasons –- is exactly how the chain of events triggered by the malformed string leads to the execution of malicious code perhaps embedded elsewhere in the false image data, though such mechanisms often turn out to be less ingenious than many would speculate.

According to Microsoft, the exploit involves versions of Excel shipped as part of Office 2003, Office XP, and Office 2000 versions for Windows, as well as Office 2004 for Macintosh, although there are no reports of active exploits against Mac users.

Office 2007 uses an entirely new XML-based spreadsheet format by default; however, there are no reports of Excel 2007 opening spreadsheets in the older format (which they can certainly do) and becoming susceptible to the same overflow trouble.

As many as five malformed records attacks involving these same Excel versions were discovered in January alone; and today some security companies, including CA, are treating this new instance as another exploitation vector of an existing category.