Security researchers uncovered a serious vulnerability in Microsoft Corp.’s Excel that exposes around 120 million users to attack. Mimecast Services Ltd., identified that the vulnerability relates to how Power Query, a feature in Excel that is able to pull data from other sources, can be abused. A hacker is able to use Power Query to dynamically launch a remote Dynamic Data Exchange attack into an Excel spreadsheet to actively control the payload. The vulnerability can be exploited to launch hard-to-detect attacks that combine several attack surfaces, embed malicious content in a separate data source and even load the content into the spreadsheet when it is opened to compromise the user’s machine.
In November 2017 Microsoft published an advisory that included workarounds, including recommending users disable the DDE feature where it is not needed in order to block external data connections. The same advisory did note, however, that users would have to click through a number of security prompts for malicious code to be installed. There is legitimate concern over the vulnerability as the feature is turned on by default. It’s unclear whether organizations are following Microsoft’s earlier advice, and it seems unlikely that many organizations have disabled it.
There are currently no known cases of the vulnerability being exploited in the wild, although that could change now its details have been published. Microsoft has not published a fix for the vulnerability nor has it indicated that it is working on one, but with 120 million users at risk and now widespread attention, we strongly recommend all Microsoft Excel customers implement the workarounds suggested by Microsoft.
