Millions of Microsoft Excel users vulnerable to remote DDE attack as new exploit is discovered
Security researchers from Mimecast Threat Center have discovered an Excel exploit that could leave 120 million users vulnerable to attack.
The security flaw means that it is possible to use Excel's Power Query tool to dynamically launch a remote Dynamic Data Exchange (DDE) attack on a spreadsheet and actively control the payload. The researchers also found that Power Query could be used to embed malicious code in a data source and spread malware.
See also:
- Security flaw in Dell SupportAssist tool puts millions of Windows systems at risk
- Over half of enterprises think security is lagging behind cloud adoption
- Netflix discovers SACK Panic and other Linux security flaws
The powerful features offered by Power Query make it ripe for exploitation, says Mimecast. And the types of attack it can be used to carry out can be very difficult to detect. Worryingly, all it can take is opening a spreadsheet for an attack to take place -- there is no need for any further user action or confirmation.
In a blog post about the discovery, Mimecast's Ofir Shlomo writes:
Power Query is a powerful and scalable Business Intelligence (BI) tool that lets users integrate their spreadsheets with other data sources, such as an external database, text document, another spreadsheet, or a web page, to name a few. When sources are linked, the data can be loaded and saved into the spreadsheet, or loaded dynamically (when the document is opened, for example).
The Mimecast Threat Center team found that Power Query could also be used to launch sophisticated, hard-to-detect attacks that combine several attack surfaces. Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened. The malicious code could be used to drop and execute malware that can compromise the user’s machine.
The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads. The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions.
He adds that:
Mimecast worked with Microsoft as part of the Coordinated Vulnerability Disclosure (CVD) process to determine if this is an intended behavior for Power Query, or if it was an issue to be addressed. Microsoft declined to release a fix at this time and instead offered a workaround to help mitigate the issue.
Microsoft issued an advisory about the security hole quite some time ago, but has opted not to actually fix it.
You can read through Mimecast's research and see an example of the exploit over on the company's blog.