Forgot your password?
typodupeerror

Microsoft Confirms Excel Zero-Day Attack 199

Posted by Zonk
from the 0day-warez-is-fun-to-say-though dept.
Guglio writes "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business. The latest zero-day attack comes just two days after Patch Tuesday (coincidence?) and less than a month after a very similar, 'super, super targeted attack' against business interests overseas. The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."
This discussion has been archived. No new comments can be posted.

Microsoft Confirms Excel Zero-Day Attack

Comments Filter:
  • by brian0918 (638904) <brian0918.gmail@com> on Friday June 16, 2006 @11:48AM (#15549209)
    "...suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers."

    Are you implying that hackers don't have the wherewithal to pull off corporate espionage? Can they do nothing more than crack the latest version of VirtuaGirl?
    • by SatanicPuppy (611928) * <Satanicpuppy@gm[ ].com ['ail' in gap]> on Friday June 16, 2006 @11:55AM (#15549259) Journal
      Yea, nice way to jump to conclusions. The idea that intellectuals can't be criminals is almost victorian. Or maybe they fell for the stereotype of the happy-go-lucky-non-malicious-but-intellectually-in qusitive hacker who could come up with an exploit, but never use it for EVIL.

      Zero-day exploits do tend to suggest someone with specific goals, who has the resources to sit and come up with zero day exploits, and the foresight to target deployment to achieve a goal. It's not behaviour that we stereotypically associate with hackers, but there is no reason it couldn't be one person (or ten or a hundred).
      • If a hacker sold an exploit to someone who uses it for corporate espionage, isn't that using his intellectual ability for "evil" as you put it?
      • hackers for hire are not uncommon in the world of the mafia. Hell, some of them even are well groomed wearing a suit and tie. Basically, highly educated intellectuals that only give a damn about a phat paycheck.
      • by gowen (141411) <gwowen@gmail.com> on Friday June 16, 2006 @12:46PM (#15549628) Homepage Journal
        The idea that intellectuals can't be criminals is almost victorian

        Hey! I resent that!

        Love,
        Professor James Moriarty.
      • by dotoole (881696)
        You're missing the point. It's not that the hackers who find these exploits wouldn't use them - it's that they're smart enough NOT to use them. Undocumented exploits are worth their weight in gold for online criminals. Why use the exploit yourself and risk getting caught when you can sell it off to someone else for a tidy sum and let THEM risk getting caught.
      • "The idea that intellectuals can't be criminals is almost victorian."

        True but I don't think the article suggests that. Finding an exploit and then selling it IS "evil" and although IANAL probably illegal. It would take a moron not to realize that the exploit someone pays money for will be used maliciously.
    • by IthnkImParanoid (410494) on Friday June 16, 2006 @11:56AM (#15549263)
      Can they do nothing more than crack the latest version of VirtuaGirl?

      They can do that? Do you know where I can find these guys? I need to, uh, confirm your statement. Solely for scientific purposes, you understand.
    • by sterno (16320) on Friday June 16, 2006 @12:03PM (#15549319) Homepage
      The thing is, to be a good hacker, you kinda have to spend a lot of time and energy on hacking. At the end of the day, it's probably easier and equally lucrative to just sell your exploits to other people rather than using them yourself. It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

      • What raises my eyebrows is that hacks like this are a "one shot deal". You can't run an exploit for very long without it getting notice, then patched. So the charge for these must be pretty high, given that it seems like work for hire.

        So the business background on this exploit is probably far juicier than the exploit itself. The path to contact, payment, motive, etc are probably a great story. I would certainly read that book.

        Of course, if writing such a book, I would take the XL
      • It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

        Be carefull!!! In the US, you can be charge with being an accessory [criminal-l...source.com] to a crime.
        • It's also a much safer route legally speaking because you aren't directly involved in the criminal act, you're just selling the tools.

          Be carefull!!! In the US, you can be charge with being an accessory to a crime.

          ...and shortly in the UK also if the government get their way [parliament.uk]. Or, for that matter, if you create a security testing tool that some copper takes a dislike to.

        • Can the owner of a gun shop be charged as an accessory if a gun they sold is used in a murder?

          All the cracker has to do is come up with a reasonable way that they could have plausibly sold it without criminal intent (ie they get the actual criminal to agree that the cracker sold it for security testing purposes, not for cracking purposes or something like that).

    • The hackers themselves are probably not commiting the corporate espionage. They are merely traders in "Security Tools". They are like arms deals who sell to warlords. So no the hackers probably do not pull of the corporate espionage they just develop the means to do it. Which is probably the smarter thing to do.
  • by Thunderstruck (210399) on Friday June 16, 2006 @11:49AM (#15549217)
    Well organized criminals conducting corporate espionage, complex software running international corporations, (hackers/crackers) slipping deviously bugged code into the works for their own nefarious purposes.

    I don't need to RTFA, I can just wait for the movie.
  • okN.xls? (Score:5, Funny)

    by gEvil (beta) (945888) on Friday June 16, 2006 @11:50AM (#15549224)
    The Trojan arrives as a Microsoft Excel file attachment to a spoofed e-mail with the following name: "okN.xls."

    Hmm, I guess I should rename my spreadsheet containing a list of Oklahoma natives.
    • It seems like a lot of work to go to and not give the spreadsheet a credible name, unlessthe hax0rs are targeting camelCase users. Why not use "2007 Budget.xls" or "Vacation days.xls" or "World Cup Pool.xls"?
  • Zero day?!? (Score:5, Funny)

    by ILikeRed (141848) on Friday June 16, 2006 @11:51AM (#15549229) Journal
    It should really be called the -28 day attack, or something along those lines, since they are coordinating it to fall shortly after Microsoft's retarded "we only fix security once a month" schedule.
    • That whole "fix on a schedule" idea seems like a great idea until it is put into practice; then it is exposed to be just as bad as any other "stratagy" to patch Microsoft software against every attack.

      One of the pitfalls of MS' popularity is that everything they do is exploited. It seems that no matter what they do someone will take advantage of it and screw their customers.
      • by ILikeRed (141848) on Friday June 16, 2006 @11:59AM (#15549285) Journal
        It is not a popularity problem - it's a "our marketing and sales departments delegate everything to our engineering and security departments" problem.
      • "That whole "fix on a schedule" idea seems like a great idea until it is put into practice"

        It never seemed like a good idea from the start to anyone who's setup and used any linux distro. Release fixes when problem is fixed, not a month later.

        This problem is nothing to do with MS's pervasiveness, and everything to do with plain old-fashioned incompetence.

        • It's their customers demanding they only release fixes after they've tested and approved them. God only knows how many fixes we may never get because one huge customer has an issue with it and has the lawyers ready to go if they get exploited due to documentation of a flaw. That's probably why we've gotten so many fixes rolled in with other fixes undocumented.
      • by fm6 (162816)
        They work on a schedule because that's the only way you can do a software project of any size. It's not like a flaw pops up once in a while, and they pull a programmer off his regular chores to write a patch. This is a large number of patches getting released over a long period of time. To create, test, and deploy software on that scale, you need a large team of programmers, together with project managers, QA folk, integrators, web deployment people, and technical writers. That kind of org cannot work on an
          1. Regardless of how often Microsoft has said otherwise in court, they do not make one product
          2. Other software firms of similiar size do release security patches as needed. And not just Redhat, but IBM, Sun, Novell.... Granted doing so means you can not hide other "upgrades" into "security" packages, but it really is the best thing for the end user.
          • Regardless of how often Microsoft has said otherwise in court, they do not make one product

            And that is relevent to this discusion because...

            Other software firms of similiar size do release security patches as needed.

            No software firm has ever needed to release as many security patches as Microsoft has.

            I actually work for Sun. If you told our software people that they had to release dozens of patches per year, and do it without a scheduled software cycle, they'd laugh in your face.


        • No, that's BILL'S excuse - "It doesn't make me any money, so we're not doing it."

          If you think about it, it doesn't matter if the number of patches per month is large or small. It's just a matter of having enough people to deal with ALL of them, on a pipeline where it ends up in a security patch download on Microsoft Update.

          The problem for BILL is the number of people he has to pull off his "upgrade" and "new" products like Vista - which DO make him money - to the problem of security which does NOT make him
          • If you think about it, it doesn't matter if the number of patches per month is large or small. It's just a matter of having enough people to deal with ALL of them, on a pipeline where it ends up in a security patch download on Microsoft Update.
            Yeah, that's fine if you don't test your patches, document them, worry about creating new security holes, and not producing a new patch that doesn't undo the work of old ones.
    • Closed source software doesn't have security problems, they have marketing and public image problems. What do you expect?
  • NOT TO FEAR! (Score:4, Insightful)

    by pcguru19 (33878) on Friday June 16, 2006 @11:52AM (#15549242)
    Just upgrade to Windows VISTA (when it's out) and Office 2007 (when it's out) and all of these silly security issues will go away....

    Oh wait, didn't they say that when they released Windows 98, Windows ME, Windows 2000, Windows XP, Windows 2003 Server, Office XP, & Office 2003? HMMMMMMM. This could be a pattern forming.
    • It's every time all better in the next version. And DRM, don't forget that, and that will make you SO secure against everything you could do against your computer...
    • Hah, I'm glad I stuck with Windows 95. Foiled their marketing department again !
    • But Vista is the one! Just think about it..

      1. Built under their "security is top priority" and "trustworthy computing" iniatives.

      2. Microsoft built security focused tools such as .NET .. I'm sure its used extensively in their flagship operating system and applications.

      3. Given the long development cycle, I'd have to imagine they recoded most of the system and not based it off of their previous code which all has major critical security issues.

      4. I'd have to imagine in the effort to keep the system secure, b
      • Re:NOT TO FEAR! (Score:2, Insightful)

        by pcguru19 (33878)
        Did you drink the grape Kool-aide or the cherry Kool-aide at the education camp? Microsoft will never get past the patching and they've at least built a process (monthly patches) and tools (WSUS, SMS, Windows Update, etc.) to deal with this reality.

        There's a simple formula to determine how secure and relaible any software is (OS or application). As you add to the total lines of code, regardless of who is writing the code, the opportunities for unexpected errors and security issues grows at a logorythmic s
    • by 0xABADC0DA (867955) on Friday June 16, 2006 @12:54PM (#15549686)
      Actually There's plenty of evidence for a natual cycle of security issues. In the past, millions of years ago, there were far more security issues than there are now. In fact, many scientists disagree over the cause of the recent increase of exploits, whether this is caused by man or whether it is just part of a natural downturn from the last Mini-Secure Age (which incidentally ended when the Irish potato fields were compromised).

      In any case to presume some kind of pattern from this last decade of operating systems is poor reasoning --the science just isn't in yet to show any long-term trends. Sure, the 7 of 10 most exploited operating systems have been released in the last decade, but that is not statitically relevant over the million year record of security issues. Certainly taking some kind of preventive action like using Safe Languages is just being alarmist as is all the liberal scaremongering that "all your base will be pwned" by the end of the century. Think of the economic impact of all those wasted cycles that could be better used doing manual memory management.

      Listen, the computer was here long before Windows, and they'll still be around after Windows is gone. We're overstating our importance to say that mere programmers can destroy the whole computer. Sure, it may be uninhabitable by our software but eventually random bit-flipping will reset the computer and a new OS will take over. It's evidence of the indisputable intelligent design of computers that they can recover from anything we could possible run on them.
  • by HellYeahAutomaton (815542) on Friday June 16, 2006 @11:53AM (#15549244)
    "Eweek has a story about a new, undocumented Excel flaw that is being used in a targeted attack against an unnamed business."

    You can't go running around with a business without a name! Focus groups people, focus...

    • located in Redmond, WA. The Chief Software Architect of the unnamed business also works a second job and hangs out with world leaders in his spare time, curing cancer.
  • Is diffing binaries THAT hard to do? *Rolls eyes*
  • news? (Score:5, Interesting)

    by bcrowell (177657) on Friday June 16, 2006 @11:55AM (#15549260) Homepage
    Why is this news? If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable. Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges. If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.
    • Re:news? (Score:2, Informative)

      by SheeEttin (899897)
      MS makes it so difficult not to run with administrator privileges


      Actually, it's not that hard. Log in as a limited user, do whaever you need to do, and if you encounter a program that absolutely needs to run as an admin, just right-click > Run as..., enter admin account name and password, and the program will run under the admin account. I personally haven't made the permanent switch to Linux yet, but I think it's comparable to sudo.
      • Which is fine unless one of the programs runs at startup in which case you need to create a shortcut, set that to run with different credentials and then change the registry to point to the shortcut instead of the executable. User-friendly my arse.
        • It has absolutely nothing to do with Microsoft Windows. Complain to the third party author of the *broken* software. Microsoft's stuff has been working fine for a long long time without admin rights. Why can't everyone else?
    • Re:news? (Score:3, Interesting)

      by Bert64 (520050)
      Users shouldn't need to worry about stupid shit like this.
      End users should be able to open data files (data, not executeable files) without fear of being owned. Data files should not have the ability to contain code (with the exception perhaps of rudimentary macros which can only interact with the host program and are sandboxed, like java applets or javascript)
      • This is not a macro virus. This is a buffer overflow reading the data file.

        Data files shouldn't contain code? What better place to put the code than in the same file as the data it manipulates? A sandbox wouldn't necessarily meet the needs of the business. A sandbox would probably be ok for Word or PowerPoint. Sandboxing Excel macros would be a huge mistake. Some of the most useful and time saving macros in Excel automate the process of gathering data from disparate sources.

    • Re:news? (Score:5, Insightful)

      by Anonymous Coward on Friday June 16, 2006 @12:15PM (#15549398)
      If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.

      There is no reason why it should have to be that way. In other operating systems and offices, you can open documents to see what's in them without handing over control of the OS to someone. Why should we accept a world in which unsolicited communication is banned ? Why can't we allows businesses to expand my making contacts with new, previously unknown people ?

      Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administrator privileges.

      No, actually it is not. The most damaging things money wise that can happen to your computer are all available as the user, because if the data is important, the user obviously has to be able to read it. Trashing C:\Windows can always be fixed with a re-install. Uploading outlook.pst and *.xls to some site in Hong Kong can never be undone.

      If this is really targeted at a particular business, then the solution seems pretty simple: that business tells all their employees not to click on attachments from people they don't know, and whips up some software to filter out this stuff before it even gets to their users. If they're big enough to be an attractive target for extortion, they're presumably big enough to have an IT staff competent to take care of those simple steps.

      No, that is not the solution. Having to spend more on IT is the PROBLEM THIS BUG CREATED, not the solution.

      Like many computer users, windows or linux or mac, you have internalized your work-arounds and broken-system survival strategies to the point that you actually think that's the way things are supposed to work.

      • Re:news? (Score:2, Interesting)

        by Frightening (976489)
        Why can't we allows businesses to expand my making contacts with new, previously unknown people ?

        Because that's called MySpace, and look where that got us. Think of the children.
        *raises troll mod shield*
    • Why is this news? If users are willing to click on an attachment from someone they don't know, then of course they're extremely vulnerable.

      These are carefully crafted messages spoofed to appear to coming from someone within the company. It is someone they know and it is an excel spreadsheet, which is data and should not be able to install any software unless Excel is designed for crap (which it is).

      Of course, the problem is made worse by the fact that MS makes it so difficult not to run with administra

    • hello? this is a targeted attack, what makes you think that "users are willing to click on an attachment from someone they don't know"? If it's targeted I bet the email was spoofed to appear as if it was sent by somebody working at the company...

  • News? (Score:5, Insightful)

    by MarkByers (770551) on Friday June 16, 2006 @11:59AM (#15549286) Homepage Journal
    Everyone knows that you should not open attachments. Word is likely full of 1000s of exploitable holes. Excel too. Plus any other complex program.

    Yes, OpenOffice will be full of holes as well.

    Not news.

    As for attacking just after the patch cycle, it's unlikely to mean anything. If I wanted to take advantage of a vulnerability for as long as possible, I would attack two or three days before the patch cycle. That will give people a couple of days to work out what happened and report the issue to Microsoft. After some initial analysis and prioritisation, a developer will be assigned to fix it. By that time it will have missed the boat for this month's patch day. Not that I would do this though. :)
    • In the average office, MS-Office documents fly low. Mail is still THE way to transport documents between companies.

      If you now expect your employees not to open MSO documents, you pretty much expect them not to work.
    • "Everyone knows that you should not open attachments"

      Unfortunately, not true, anymore than saying everyone knows not to follow a link emailed to you that requests you enter your login/password. The unfortunate truth is the majority of internet users are not /. computer savvy security conscious people. In fact, in the business world, they may not even by conscious...

      I can't wait till Excel 2007 comes out. Not of course for the security system (which will continue to be meaningless as long as dumb Joe leav
  • by mmell (832646) <mmell@hotmail.com> on Friday June 16, 2006 @12:02PM (#15549302)
    is that (much like terrorists) there is no formal organization against which to direct your attention. The white-hats are left with trying to find individual crackers, much like the *AA goes after individual file-sharers because there is no centralized target for their wrath.

    In this instance, however, it is being hypothesized that an organized group is responsible. That's a centralized target; likely to yield more than one guy in his basement wearing shorts and a coffee-stained t-shirt, drinking coffee and jolt and living off old pizza.

    So, to CERT (and their international counterparts) I say - "Go get 'em, boys!"

  • Patches Available (Score:4, Informative)

    by GogglesPisano (199483) on Friday June 16, 2006 @12:05PM (#15549328)
    Patches for this problem available here [openoffice.org], here [gnome.org] and here [mozilla.com].
  • by MarkByers (770551) on Friday June 16, 2006 @12:06PM (#15549339) Homepage Journal
    against an unnamed business

    I think they should be more worried that they are the victim of identity theft [slashdot.org].
  • stupid (Score:4, Funny)

    by mapkinase (958129) on Friday June 16, 2006 @12:08PM (#15549349) Homepage Journal
    I do not believe that e-mail spamming attack against a single company can be that effective. Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mails.
    • I do not believe that e-mail spamming attack against a single company can be that effective.

      For the previous, Word exploit, they were actually spoofing addresses so it appeared to be coming from an employee.

      Very low percentage of e-mail users, especially professionals, actually open the attachments in unsolicited e-mails.

      ...and the fact that most systems are so insecure that users have to avoid viewing data, because it can compromise their machine is just pathetic. Whole generations are trained to wo

  • by fotoflojoe (982885) on Friday June 16, 2006 @12:13PM (#15549387)
    Must be the work of terrorist cells...
  • With an open file format such as OpenDocument, it would be much harder to hide malicious code and/or exploits in a document...

    You could easily parse the file at your gateway, and validate the xml content against the published schema (rejecting it if it fails), although this wouldn't be foolproof (an exploit could still exist within well formed xml, but is less likely) it would cut out a significant portion of vulnerabilities.
  • Just in time (Score:5, Insightful)

    by Opportunist (166417) on Friday June 16, 2006 @12:16PM (#15549405)
    Anyone here thinking it's a coincidence that the exploit goes life JUST after "patch day"?

    I don't want to call the responsible people at MS retards, who thought that patching at one very predetermined day every month is a good idea, but my English is not good enough to come up with a better name for this kind of idea.
    • Thesaurus to the rescue: imbeciles

      On a more serious note, I'm honestly surprised it has taken this long for this kind of operation to emerge. The very idea of a Patch Day[tm] is to A) appease to corporate types who think they understand what "unscheduled downtime" means but are too detached from reality to understand what significance it carries; and B) assume that people outside the company can't discover holes in your software.

      For point B, see first paragraph.

      • For corporate types, see it, too.

        Quite frankly, I do understand why it's more convenient, for both sides, to use a fixed date for patching. But let's be honest here, criminals don't care for your working hours. I could rant and rave and whatnot, for the usual exploit/hack/trojan usually comes JUST in time for weeks when either Thusday or Thursday is a holiday. Gee, why? 'cause everyone will have taking Monday/Friday off and the unpatched window opens wider.

        You have NO idea what it's like around XMas/New Yea
  • Between this stuff, WGA, and just general principle I'm not sure I'll ever boot XP again. Just gotta figure out how to run Party Poker on Lx...
  • Why doesn't anyone employ these hackers to attack spam companies. It would be using one destructive web force against an annoying one, after all, I'm sure they get spam too. The enemy of my enemy is my friend.
  • /. is quickly becoming a verb, irrelevent. They have a hot story about a security flaw, targeted attack and economic damage to one corporation without a trace of realism anywhere to be found. Not in the lead-in story, comments, or even in the interface. Yeah, this Wiz-bang 2 week old upgrade that managed to only change the window dressing. At least, the very least, a competent UI designer would have added a "drop down" menu to the UI.

    New drop down UI:
    No Bullshit = no :: 5 "Funny", 5 "First P0st", 5 "Tin

The moon may be smaller than Earth, but it's further away.

Working...