Researchers discover vulnerability in the Microsoft Excel tool

Excel spreadsheet vulnerability enables cyber criminals to launch attacks on unwitting users

Security researchers have identified a vulnerability in Microsoft Excel that enables attackers to embed malicious payloads.

According to Mimecast's Threat Center, cyber criminals can mount a Dynamic Data Exchange attack through a spreadsheet and control the Payload Power Query remotely.

With Power Query, users are able to integrate spreadsheets with data sources, such as external databases, text, documents and webpages, before saving them in a spreadsheet.

But Ofir Shlomo, who led the research team, claims the feature can also be used for launching "sophisticated, hard-to-detect attacks that combine several attack surfaces".

He said: "Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

"The malicious code could be used to drop and execute malware that can compromise the user's machine."

Shlomo added that the feature boasts rich controls that enable attackers to fingerprint a sandbox or a victim's machine before delivering payloads.

This vulnerability also provides the attacker with potential pre-payload and pre-exploitation controls, as well as enabling them to launch an attack through a file that appears harmless.

"The Power Query feature is designed to allow you to embed remote content easily and dynamically. Such attacks are usually hard to detect and gives threat actors more chances to compromise the victim's host," said Shlomo.

"Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that, as designed, won't be saved inside the document itself, but downloaded from the web when the document is opened."

To demonstrate the effectiveness of this method, the research team loaded an external webpage containing the payload into a spreadsheet.

Shlomo said it could "write a custom, simple HTTP server to host the payload on a web page to be served". He continued: "The HTTP server listened locally on port 80 and served DDE content as a response when a request was received from the spreadsheet."

After reporting the flaw to Microsoft, the tech giant published a security advisory outlining steps users can take to mitigate such attacks.

Microsoft said: "An attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email.

"The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments."

Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.

Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?