Excel vulnerability puts 120 million users at risk

Mimecast’s Threat Center has discovered a weakness in Microsoft’s Excel tool that allows the remote embedding of malicious payloads.

According to the security firm, the weakness means that cyber criminals could potentially embed any malicious payload that won’t be saved inside the document itself, but downloaded from the Web when the document is opened.

The technique uses a feature in Power Query - a business intelligence tool that allows users to easily integrate their spreadsheets with other data sources - to dynamically launch a remote dynamic data exchange (DDE) attack.  

Using Power Query, threat actors could embed malicious content in a separate data source, and then load the content into the spreadsheet once it is opened.

Because Power Query is a popular tool within Excel, the potential for abuse is huge. Once exploited, it could be used to commit sophisticated attacks that employ a variety of  attack surfaces, from local privilege escalation, DDE attacks and remote code execution exploits. 

In addition, the feature could be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads, meaning the threat actor has pre-payload and pre-exploitation controls, and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions.

Meni Farjon, chief scientist for Advanced Threat Detection at Mimecast, says as far as the company knows, there have not been any reports of this vulnerability being exploited yet. “However, every Excel user - an estimated 120 million worldwide - is affected by this vulnerability.”

When asked whether the vulnerability had been fixed, he said: “Mimecast worked with Microsoft as part of the Coordinated Vulnerability Disclosure process to determine if this is an intended behaviour for Power Query, or if it was an issue to be addressed. Microsoft declined to release a fix at this time and offered a workaround to help mitigate the issue. There is currently no patch available for this vulnerability.”

 So what should users do to protect themselves? 

Farjon says a good threat protection solution that detects and blocks the use of this technique is recommended. For users who don’t have such a solution, Microsoft has offered a workaround in a published advisory (4053440) that indicates steps and procedures regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange fields.