Microsoft Excel vulnerable to a Remote code Execution

Microsoft has released a security advisory notifying it's customers of a critical flaw in Microsoft Excel that allows remote code execution. Microsoft Office 2000, Office XP, Office 2003 and Microsoft Office 2004 for Mac are affected by this "very limited zero-day vulnerability", Microsoft said.

For the attack to be successful, the attacker will have to trick the users into downloading and opening a malicious Office file either through email or from a website. Although Microsoft Excel is the current attack vector, all the other Office applications are vulnerable. I have not yet come across a PoC for this exploit, though I am sure that it is out there. I will update as I find the PoC for this.

McAfee has named this MSExcel.h virus and it displays the following characteristics:

•   Unpack the XOR-encrypted shellcode in memory
•   Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash.
•   Create a new fiile in %Temp%\top10.exe using API calls - GetTempPathA, and CreateFileA
•   Seeks the opened file handle of the XLS file in memory using API call GetFileSize to match a specific filesize.
•   Extract the payload from the XLS file and write it into %Temp%\top10.exe
•   Execute %Temp%\top10.exe

This executable is a new variant of the BackDoor-CWA trojan.