Although Microsoft Excel can be pretty secure, a group of researchers from Mimecast Threat Center has disclosed an Excel Exploit which could leave millions of Excel users vulnerable to remote attack.
In a recent blog post, the researchers noted that the security flaws make it possible for an attacker to use spreadsheet program’s Power Query tool to launch a Dynamic Data Exchange or DDE attack on a document. Moreover, the exploit can allow attackers to embed malicious codes to spread malware through unsuspecting users.
Most importantly, the researchers noted that unlike other attacks, the exploit doesn’t require someone to perform anything other than opening a document and the attack can be completed without further confirmation. Mimecast’s Ofir Shlomo noted, “The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads. The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions.”
Shortly after the discovery, the firm worked with Microsoft to determine if the flaw was an intentional behavior. However, Microsoft since then declined to release a fix for the time being and instead provided a workaround to mitigate the problems that can arise from the vulnerability.
Given that the exploit can be pretty dangerous, it’s likely that Microsoft will release a fix sometime soon.