Excel Flaw Highlights Need for Better App Security
- By Jabulani Leffall
- January 29, 2008
Don Leatham of Lumension Security has a first-step remedy to the ongoing security
concerns around Microsoft's Excel application.
"IT guys should tell end users right off the bat that if they see an unrecognizable
Excel document in their inbox, they should treat it like porn -- it's not something
you should be opening up at work."
Extreme measures aside, because Excel is one of the most commonly used software
applications on the planet, it's also increasingly the most common and frequent
target for client-side attacks, security experts say.
In the last 18 months alone, there were more than 33 documented vulnerabilities
that pertained specifically to the popular spreadsheet program, a number Microsoft
would neither confirm nor deny. While this seems like a large number -- an average
of almost two every month for that duration -- these are just the documented
cases. This prompts IT security mavens to assert that securing Excel -- even
above Internet Explorer -- should be Job No. 1 where Windows programs are concerned.
"Out of all the applications sitting on networks and desktops around the globe, Excel lends itself to be the most natural attack target because of its ubiquity in the corporate world," said Leatham, director of solutions strategy for Lumension, which is based in Scottsdale, Ariz. "This is definitely the one program IT pros are really pulling their hair out over because more often than not, Excel documents carry sensitive information such as financial data and the like."
Security Response Center Responds
In mid-January, Microsoft's security group said there were continual attacks exploiting a flaw in most versions of the popular spreadsheet program.
The software giant's Security Response Center said the attacks were mostly sporadic and targeted rather than running amok in the wild. The remote code execution exploit, which has yet to be patched, has been deployed using a bug found mostly in Excel 2000, Excel 2002, Excel 2003 Service Pack 2, Excel Viewer 2003 and Excel 2004 for Mac.
Redmond released its last Excel-specific patch in August of 2007 when security
bulletin MS07-044 was supposed to have plugged the same such vulnerabilities
where the likely incursion methodology would be to attach a malformed document
to an e-mail or stick it on a Web site, convincing users thereafter to open
the file. In the workplace, security observers say the most common titles to
these types of documents read: "pending layoffs," "executive salaries," "management
bonuses" and the words "special project," with the name of the company coming
after it in specific cases where the attacks were more targeted.
"The increase in attacks in Excel are numerous and the application seems to be at the forefront of ushering in frequent application-level attacks that we're seeing more of now than ever," said Ben Greenbaum, a manager for Symantec Security Response.
In the last 12 months, Greenbaum said Symantec had itself identified at least six in-the-wild Excel exploits for which there were no corresponding patches.
As of the end of January, Microsoft had not ruled out patching Excel but still didn't disclose any specifics about its future plans. A spokesperson would only say that the company would "continue to investigate the public reports and customer impact, taking the appropriate action to help protect customers, when the investigation concluded."
Excel's Rise to Omnipresence
In 1985, Microsoft released for the Mac the first version of the application
that's said to be on more than 85 percent of the world's PCs, with the first
Windows version coming two years later in 1987. The release was an effort to
compete with Lotus' then-market-leading 1-2-3 number crunching program, which
eventually saw its share snatched by Excel in 1988. Many software historians
even credit Excel with Microsoft's ascendancy. But from the 1990s on, the security
focus was mainly on networks, due to the then-nascent Internet and then later
the operating system, when Windows 95 catapulted Redmond into the software stratosphere.
But today, observers say that Microsoft spent so much time securing the OS
that many independent service vendors such as security consultants and even
IT and finance auditors followed Redmond's moves. Thus, in large part, not many
foresaw how critical application security would be.
"It's possible that some companies have been more laid-back about patching
their office products like Excel," said Graham Cluley, senior security consultant
at Oxford, England-based security consultancy Sophos. "Meanwhile, application
developers like Microsoft need to do more to ensure that their code cannot be
exploited by crafty hackers looking to break into vulnerable PCs via buggy software."
This is easier said than done because although it's one of many programs in
the Microsoft Office suite, Excel -- like IE -- is also a development platform
that can be used to build macros, perform database table extractions and create
and manipulate pivot tables. Thus, it's easy to hide nefarious intentions inside
the tens of millions of lines of codes contained therein.
Moreover, Excel is emerging as an actual business intelligence tool that is falling under the purview of IT compliance as it relates to Sarbanes-Oxley and other business mandates.
Gregory Grocholski, finance director for Dow Chemical, likes to use Excel as an everyday example of how applications are changing the way companies look at not only IT security but its role in validating financial reporting.
"While an IT auditor may not audit Excel itself, the auditor should perform testing on the calculations that ultimately result in a number that would be used to make an accounting entry," he said. "That's a reason why such a program would need to be foolproof."
Meanwhile, as IT pros wait on a patch, Redmond has introduced at least one workaround for Excel 2003 and older versions. In a recent Knowledge Base article, Microsoft recommended running any foreign or seemingly nebulous attachments through the Microsoft Office Isolated Conversion Environment (MOICE). Still, that's an option that's not available for Excel 2000 or 2002.
And for those not quite ready to inject porn into the security conversation,
Lumension's Leatham said security administrators should be double-checking Group
Policy Objects and setting parameters on Excel programs that disable the automatic
execution of macros. Also, locking up sensitive documents as read-only serves
as an easy manual control to implement. Lastly, he said, an overlying enterprise
policy is key.
"How often to you hear about IT staff telling people not to click on these
documents and they still do?" he said. "From a back-end perspective, you pretty
much have to wait for the patch and, when it comes, install it immediately.
Until then, managing end users is a difficult challenge. Bottom line is that
securing Excel should be on top of your IT shop's list."
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.