Have I opened a malicious file? Microsoft Excel vulnerability detection

15 December 2016

By Iliyan Velikov

View Michael Wood’s profile on LinkedIn

During ongoing research into the latest potential threats we discovered a vulnerability in Excel and disclosed it promptly with the software vendor Microsoft. Upon requests we provided additional information to help Microsoft to develop a patch for this (CVE-2016-7262 is reserved for this vulnerability) which was released yesterday as part of the vendor’s monthly Patch Tuesday.

We are releasing this blog to encourage organisations and individuals to deploy the patch developed by Microsoft as quickly as possible. In addition, we want to highlight what could happen when an untrusted XLSX or XLS file is processed by Excel.

Vulnerability overview

A vulnerability existed in a number of versions of Excel that could result in a command execution when user double-clicks in a malicious file. Our initial testing showed that Excel 2007 and Excel 2016 are vulnerable. Microsoft identified all vulnerable versions in their security bulletin [1].

What if this vulnerability is exploited

The vulnerability could allow a threat actor to gain access to the device where a malicious Excel file is processed. Once the threat actor has gained access they could attempt to escalate their privileges to access sensitive data or can attempt to gain access to other devices accessible from the compromised machine.

Related recent developments

A recent Microsoft case study shows that threat actors are actively seeking other methods that can be used to gain access to a targeted device [2]. This is further supported by the latest version of Dridex [3] that deploys a technique described in the Microsoft blog.

Another interesting development highlighted by Proofpoint shows a new trick that can mislead the user to execute macro on their device by enticing readers to enable macros and to click on an embedded image [4].

Other research has been performed that shows how formula injection can be achieved using comma separated (CSV) files only [5]. Our work differs as the vulnerability that we have discovered is triggered when a XLSX or a XLS file (old Excel versions file format) is processed by Excel.

The articles we reference show techniques a threat actor could use to obtain initial access to a device but the techniques highlighted do not use the same vulnerability that we discovered.

Have I opened a malicious file?

Once the vulnerability is exploited the following error message is displayed by Excel:

Cyber blog

However, there may be other ways to trigger this vulnerability that will not present this particular error message.

Our research showed that users could expose themselves and businesses to risks when they open files from untrusted source such as an attachment in a phishing email. Some of the possible implications include but are not limited to:

  • Unauthorised access to devices;
  • Sensitive information disclosure;
  • Reputational damage.

Advice on spear phishing attacks and what organisations can do to protect themselves is available from The Centre for the Protection of National Infrastructure (CPNI) [6] [7].

We know that threat actors are improving their toolsets and that their attacks are becoming more sophisticated [2] [3] [4], and it’s therefore important that we all follow the appropriate policies and guidelines in order to protect ourselves against phishing attacks.

View Michael Wood’s profile on LinkedIn


[1] https://technet.microsoft.com/en-us/library/security/MS16-148

[2] https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/

[3] https://blog.gdatasoftware.com/2016/10/29261-dridex-an-old-dog-is-learning-new-tricks

[4] https://www.proofpoint.com/uk/threat-insight/post/spike-kovter-ad-fraud-malware-clever-macro-trick

[5] https://www.contextis.com/resources/blog/comma-separated-vulnerabilities

[6] https://www.cpni.gov.uk/advice/cyber/spear-phishing/ 

[7] https://www.cpni.gov.uk/documents/publications/2013/2013053-spear-phishing-understanding-the-threat.pdf?epslanguage=en-gb



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.