Workarounds for Excel 'Zero-Day' Flaw
Microsoft Security Advisory (921365)
- Title: Vulnerability in Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/921365.mspx
- Revision Note: Advisory Published: June 19, 2006
Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker.
Opening the Excel document out of email will prompt the user to be careful about opening the attachment.
As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit this vulnerability.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Workarounds listed in extended comments >>>
Workarounds for Microsoft Excel Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
On Excel 2003, prevent Excel Repair mode by modifying the Access Control List (ACL) to the Excel Resiliency registry key
This vulnerability is exploited when Excel enters repair mode. Preventing Excel from entering repair mode can block the vulnerability from being exploited on Excel 2003. To prevent Excel from entering repair mode, change the Access Control Lists (ACL) settings using either the registry editor or Group Policy to remove all user accounts from accessing the registry key. To do this manually, follow these steps:
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note We recommend backing up the registry before you edit it.
For Windows 2000
Note Make a note of the permissions that are listed in the dialog box so that you can restore them to their original values at a later time
1. Click Start, click Run, type regedt32, and then click OK.
2. Expand HKEY_CURRENT_USER, expand Sofware, expand Microsoft, expand Office, expand 11.0, expand Excel, and then click Resiliency. If the key does not exist, create it.
3. Highlight this key and Click Security, and then click Permissions.
4. Click to clear the Allow Inheritable Permissions from the parent to propagate to this object check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then click OK.
5. You receive a message that states that no one will be able to access this registry key. Click Yes when you are prompted to do so.
For Windows XP Service Pack 1 or later operating systems
Note Make a note of the permissions that are listed in the dialog box so that you can restore them to their original values at a later time.
1. Click Start, click Run, type "regedit" (without the quotation marks), and then click OK.
2. Expand HKEY_CURRENT_USER, expand Sofware, expand Microsoft, expand Office, expand 11.0, expand Excel, and then click Resiliency. If the key does not exist, create it.
3. Click Edit, and then click Permissions.
4. Click Advanced.
5. Click to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then check OK.
6. You receive a message that states that no one will be able to access this registry key. Click Yes, and then click OK to close the Permissions dialog box for this registry key.
Impact of Workaround: The repair mode in Excel helps open corrupted Excel documents. After applying this workaround Excel will not attempt to repair corrupted Excel documents and may not recover gracefully when opening a malformed Excel document. If Excel is unstable after opening a malformed Excel document, close all Excel process with Task manager and restart Excel.
To prevent Excel documents from entering a corporate network directly, block all Excel file types at the E-mail gateway.
Note This will not protect against other attack vectors including a web-based attack.
The following file-types are Excel file-types that can exploit this vulnerability and would need to be blocked at the network perimeter:
xls, xlt, xla, xlm, xlc, xlw, uxdc, csv, iqy, dqy, rqy, oqy, xll, xlb, slk, dif, xlk, xld, xlshtml, xlthtml, xlv
Block the ability to open Excel documents from Outlook as attachments, web sites, and the file system directly by removing the registry keys that associate the Excel documents with the Excel application.
Excel documents can be opened automatically in Excel by opening them as e-mail attachments, by visiting websites that attempt to load the Excel documents, and from the file system or file shares by double-clicking on the document. Removing the following registry keys will block these attack vectors by preventing Excel documents from loading in Excel directly. To remove these keys follow these steps:
Note While the vulnerability exists in the Excel Viewer 2003, Excel 2002, and Excel 2000, the current exploit has not affected these applications.
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
.
1. Click Start, click Run, type "regedit" (without the quotation marks), and then click OK. On Windows 2000 the type regedt32.
2. Highlight each of the registry keys in the list below
3. Right click on each key, and click on Delete, and click on Yes to confirm the deletion.
Note: Depending on installation, some of the keys below may not exist.
Note We recommend backing up each of the registry keys below to restore the deleted keys.
HKEY_CLASSES_ROOT\Excel.Addin\shell
HKEY_CLASSES_ROOT\Excel.Backup\shell
HKEY_CLASSES_ROOT\Excel.Chart\shell
HKEY_CLASSES_ROOT\Excel.Chart.8\shell
HKEY_CLASSES_ROOT\Excel.CSV\shell
HKEY_CLASSES_ROOT\Excel.DIF\shell
HKEY_CLASSES_ROOT\Excel.Macrosheet\shell
HKEY_CLASSES_ROOT\Excel.Sheet.8\shell
HKEY_CLASSES_ROOT\Excel.SLK\shell
HKEY_CLASSES_ROOT\Excel.Template\shell
HKEY_CLASSES_ROOT\Excel.Workspace\shell
HKEY_CLASSES_ROOT\Excel.XLL\shell
HKEY_CLASSES_ROOT\Excelhtmlfile\shell
HKEY_CLASSES_ROOT\Excelhtmltemplate\shell
HKEY_CLASSES_ROOT\.xls
HKEY_CLASSES_ROOT\.xlt
HKEY_CLASSES_ROOT\.xla
HKEY_CLASSES_ROOT\.xlm
HKEY_CLASSES_ROOT\.xlc
HKEY_CLASSES_ROOT\.xlw
HKEY_CLASSES_ROOT\.uxdc
HKEY_CLASSES_ROOT\.csv
HKEY_CLASSES_ROOT\.iqy
HKEY_CLASSES_ROOT\.dqy
HKEY_CLASSES_ROOT\.rqy
HKEY_CLASSES_ROOT\.oqy
HKEY_CLASSES_ROOT\.xll
HKEY_CLASSES_ROOT\.xlb
HKEY_CLASSES_ROOT\.slk
HKEY_CLASSES_ROOT\.dif
HKEY_CLASSES_ROOT\.xlk
HKEY_CLASSES_ROOT\.xld
HKEY_CLASSES_ROOT\.xlshtml
HKEY_CLASSES_ROOT\.xlthtml
HKEY_CLASSES_ROOT\.xlv
HKEY_CLASSES_ROOT\ExcelViewer.Chart.8\shell
HKEY_CLASSES_ROOT\ExcelViewer.Macrosheet\shell
HKEY_CLASSES_ROOT\ExcelViewer.Sheet.8\shell
HKEY_CLASSES_ROOT\ExcelViewer.Template\shell
HKEY_CLASSES_ROOT\ExcelViewer.Workspace\shell
Impact of Workaround: Excel documents will no longer be opened outside the Excel application. To view Excel documents open the Excel application and load the document directly using File and Open.
Do not open or save Microsoft Excel files that you receive from un-trusted sources.
This vulnerability could be exploited when a user opens a specially crafted Excel file. Excel files from trusted sources or Excel files that are known to be trusted can continue to be used.
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.