Microsoft Excel continues to be a macro-level playground for hackers. Days after Microsoft’s latest alert of a cyber-crime campaign that twisted an Excel feature to compromise Windows machines, researchers at Mimecast have disclosed a weakness in the spreadsheet software that allows hackers to drop and execute malware.
"Power Query is a powerful and scalable business intelligence (BI) tool that lets users integrate their spreadsheets with other data sources, such as an external database, text document, another spreadsheet, or a web page. When sources are linked, the data can be loaded and saved into the spreadsheet, or loaded dynamically (when the document is opened, for example)," said Ofir Shlomo, security research team leader at Mimecast, in a blog post today (27 June).
According to the Mimecast team, Power Query can be used to launch sophisticated, hard-to-detect attacks that combine several attack surfaces. Attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened. The malicious code could be used to drop and execute malware that can compromise a user’s machine.
Once this BI tool gets linked to a malicious website, hackers could initiate a Dynamic Data Exchange (DDE) attack, which abuses a Windows protocol that allows applications to share data in an operating system.
Practically every Microsoft Excel user is vulnerable and unofficial statistics say close to half-a-billion people worldwide use MS Excel.
"Mimecast worked with Microsoft as part of the Coordinated Vulnerability Disclosure (CVD) process to determine if this is an intended behavior for Power Query, or if it was an issue to be addressed. Microsoft declined to release a fix at this time and instead offered a workaround to help mitigate the issue," said the blog post.
Older versions of Office is more susceptible as the payload could download and run automatically when the user opens the malicious Excel file, pointed out Matthew Aldridge, senior solutions architect at US-based internet security company Webroot.
"On newer versions of Office, the user would need to click several times within the spreadsheet to activate the malicious behaviour, so is far less of a risk. This highlights why it is good to keep up-to-date with new software versions to enhance your security posture," he said.
Earlier this month, Microsoft issued a warning about a spam wave that capitalised on an MS Office vulnerability. There is already a surge in malicious Word documents spammed out, according to a recent study by WatchGuard.
"This is yet another exploit of the Microsoft Office suite that requires additional protection. Using the software daily does add to the risk, but the danger is even greater when employees are tempted to open documents from an unknown source," said Meni Farjon, chief scientist for advanced threat detection at Mimecast.
"The reality is that every Excel user is vulnerable by default, so businesses and individuals must take action now to ensure they don’t fall victim to a Power Query feature misuse," he added.