Security Flaw in Microsoft Excel Can Trigger Malware Attack
Power Query, a feature in Microsoft Office's Excel spreadsheet program can be exploited to install malware on remote systems. Researchers at Mimecast Threat Center have developed a proof-of-concept attack scenario and reported the vulnerability. The exploitable feature in Excel allows users to embed outside data sources such as external databases or web-based data into a spreadsheet. Mimecast developed a technique to launch a remote Dynamic Data Exchange ( DDE ) attack into an Excel spreadsheet, deliver a malicious payload and control the payload via Power Query. Power Query could also be used to launch hard-to-detect attacks that combine several methods. Using Power Query, hackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened.
Mimecast worked with Microsoft in its disclosure process. Microsoft declined to release a fix and instead, Microsoft is suggesting a workaround mitigation to fend off attacks exploiting the PoC technique. That includes a 2017 Microsoft Advisory on properly securing applications when processing Dynamic Data Exchange fields.
Microsoft reviewed the researchers’ report and stated that in order for this technique to work, a victim would need to be tricked into bypassing multiple security prompts prior to loading external data or executing a command from a DDE formula. A security update was released in January, 2018 for all supported editions of Microsoft Excel allowing customers to set the functionality of the DDE protocol.
One attack scenario starts with an adversary hosting an external webpage on a HTTP server that contains the malicious code that will eventually be dropped into the spreadsheet. The HTTP server listens locally on port 80 and serves DDE content as a response when a request is received from the spreadsheet. The victim is tricked into requesting the malicious webpage hosted remotely. The request to fetch and load the third-party data is not silent, the user is presented with a dialogue box with the "ok" or "cancel" options and the URL is clearly shown. If the user chooses to permit the outside data to load into the Excel spreadsheet cell, the attack begins. While constructing headers for the web requests for the malicious payloads, researchers found they could bypass anti-virus and sandboxing capabilities of targeted systems when creating the PoC using Microsoft Office 2010. They did this by creating false headers.
Hackers are looking to avoid the detections that victims have. While there is a chance that this kind of attack may be detected over time as threat intelligence is shared between various security experts and information sharing platforms, it is highly recommended that all Microsoft Excel customers implement the workarounds suggested by Microsoft as the potential threat to these Microsoft users is real and the exploit could be damaging.