Discussion in 'Headline News' started by RickAgresta, Jun 27, 2019.

  1. RickAgresta

    RickAgresta Peanut, leader of the Peanutty Forces

    Likes Received:
    Trophy Points:
    from Wired:

    YOU PROBABLY THINK of Microsoft's classic spreadsheet program Excel as mostly boring. Sure, it can wrangle data, but it's not exactly Apex Legends. For hackers, though, it's a lot of fun. Like the rest of the Office 365 suite, attackers often manipulate Excel to launch their digital strikes. And two recent findings demonstrate how the program's own legitimate features can be used against it.

    On Thursday, researchers from the threat intelligence firm Mimecast are disclosing findings that an Excel feature called Power Query can be manipulated to facilitate established Office 365 system attacks. Power Query allows users to combine data from various sources with a spreadsheet—like a database, second spreadsheet, document, or website. This mechanism for linking out to another component, though, can also be abused to link to a malicious webpage that contains malware. In this way, attackers can distribute tainted Excel spreadsheets that wreak havoc, from granting attackers system privileges to installing backdoors.

    "Attackers don’t need to invest in a very sophisticated attack, they can just open up Microsoft Excel and use its own tools," says Meni Farjon, Mimecast's chief scientist. "And you have basically 100 percent reliability. The exploit will work in all the versions of Excel as well as new versions, and will probably work across all operating systems, programming languages, and sub-versions, because it's based on a legitimate feature. That makes it very viable for attackers."

    Farjon suggests that once Power Query connects to a malicious website, attackers could initiate something like a Dynamic Data Exchange attack, which exploits a Windows protocol that lets applications share data in an operating system. Digital systems are usually set up to silo programs so they can't interact without permission. So protocols like DDE exist to be a sort of mediator in situations where it would be useful for programs to compare notes. But attackers can embed the commands that initiate DDE in their website, and then use Power Query commands in a malicious spreadsheet to merge the website’s data with spreadsheet and set off the DDE attack. They could use the same type of flow to drop other malware onto a target system through Power Query, too.

    Microsoft offers prompts that warn users when two programs are going to link through DDE, but hackers have launched DDE attacks from Word documents and Excel sheets since since about 2014, tricking users into clicking through the prompts.

    Poster's note: there's a good bit more to the article...
    EdmundDantes, raspabalsa and Hook like this.
  2. raspabalsa

    raspabalsa Brain stuck BogoMipping

    Likes Received:
    Trophy Points:
    Scary article, especially considering that Excel files comprise about 75% of all files I open daily, and maybe half of that is files shared via Google Drive or email. But the article offers very little in the way of solutions to the threats it exposes. Should I completely stop using Excel? Should I stop using collaboration tools, and send every Excel attachment to the email trash bin? DDE is disabled on my laptop, but from what I understand it seems this is not enough. What then?
    Hook likes this.

Share This Page