Information Security Advisory
ITS Security Office – BGSU 3/31/2008
Hackers exploit critical vulnerabilities in Excel. Infections can occur from visiting malicious websites or opening untrusted
email attachments. Apply multiple Microsoft Office updates released March 2008. For more information see Microsoft Security
Bulletin MS08-014 and known issues regarding patch.
Systems Affected
Operating systems: Microsoft Windows - Excel 2000, 2002, 2003, 2007, Excel 2003 Viewer, Excel Converter 2007.
Microsoft Office 2008 for Mac, Microsoft Office 2004 for Mac.
Overview
Vulnerabilities in Microsoft Office, including Excel were discovered and software updates were released in March 2008. A malicious
crafted Excel file can infect a user upon execution and this could be accomplished by email attachments. Symantec also discovered
a malicious website that has a malicious Excel file that infects a user with Trojan.Mdropper.A.A when executed. Although the
vulnerabilities have been patched by Microsoft, attackers are attempting to exploit users that have not yet applied the fixes.
Description
By executing a malicious Excel file, an unsuspecting user can be infected by a trojan and remote controlled by an attacker.
The malicious files can be delivered by untrusted email or by visiting untrusted websites.
Impact
Loss of sensitive and personal information including passwords and financial data. Infected systems can be remote controlled
for other cybercrime related activities.
Solutions
Apply Microsoft released patches. Specific information and direct links to updates can be found here.
Other recommendations
Be skeptical regarding unexpected email attachments. Only visit known trusted websites.
Additional Information
National Vulnerability Database - CERT/NIST
Hackers seize on Excel vulnerability - ComputerWorld 3/26/2008
Hackers exploit Excel Hole - Washington Post 3/26/2008
Excel trojan information -Trojan.Mdropper.AA - Symantec
DISCLAIMER: Information Security Advisories and related resources provide technical and administrative advice to protect sensitive information
on the University network and to help BGSU comply with regulations pertaining to information security. Failure to comply
with these advisories may directly or indirectly increase the risk of exposure or compromise of sensitive University information.
These advisories and resources do not provide legal advice – contact the BGSU Office of General Counsel or other appropriate
legal advisor for interpretations of regulations.
|
