Researchers have identified a critical security vulnerability in Microsoft Office’s Excel spreadsheet program, that allows an attacker to trigger a malware attack on remote systems. A Microsoft Excel feature called Power Query can be exploited to plant malware on remote systems. Researchers at Mimecast Threat Center say they have developed a proof-of-concept attack scenario and reported the vulnerability.
Power Query, allows users to embed outside data sources such as external databases or web-based data into a spreadsheet. Mimecast developed a technique to launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet, deliver a malicious payload and actively control the payload via Power Query.
“Power Query could also be used to launch sophisticated, hard-to-detect attacks that combine several attack surfaces. Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened,” wrote Ofir Shlomo, security research team leader at Mimecast in a technical description of the proof-of-concept (PoC) attack.
Mimecast said it worked with Microsoft in its disclosure process; however Microsoft declined to release a fix. Instead, Microsoft is suggesting a workaround mitigation to fend off attacks exploiting the PoC technique.
One Mimecast attack scenario starts with an adversary hosting an external webpage on a HTTP server that contains the malicious payload that will eventually be dropped into the spreadsheet. “The HTTP server listened locally on port 80 and served DDE content as a response when a request was received from the spreadsheet,” Shlomo said.
Using Microsoft Excel 2016, the target who is enticed to open the spreadsheet is prompted to request the malicious webpage hosted remotely. The request to fetch and load the third-party data is not silent, rather a user is presented with a dialogue box with the “ok” or “cancel” options and the URL is clearly shown.
If the user chooses to permit the outside data to load into the Excel spreadsheet cell, the attack begins. “To make the DDE run, the user is required to double click the cell that loads the DDE and to then click again to release it. Those operations will trigger the DDE and launch the payload that was received from the web,” the researcher wrote.
However, researchers say in older versions of Microsoft Excel 2010 the payload is automatically executed, no user interaction needed. The command “Get External Data>> From Web” is triggered when opening the Excel spreadsheet with no “Click to run” prompt. In these requests, Excel uses the Connections.xml framework in tandem with web properties (webPR) versus database properties (dbPr). “Unlike ‘dbPr,’ ‘webPr’ [is much simpler and] does not required any user actions to run the payload,” the researcher explained.
Attackers are looking to subvert the detections that victims have. While there is a chance that this kind of attack may be detected over time as threat intelligence is shared between various security experts and information sharing platforms, Mimecast strongly recommends all Microsoft Excel customers implement the workarounds suggested by Microsoft as the potential threat to these Microsoft users is real and the exploit could be damaging,” Shlomo wrote.