English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Patch Tuesday September 2011

0.2
 

This month's Microsoft patch release is pushed out with lower urgency recommendations overall. While the Sharepoint and server side vulnerabilities are interesting, IT and individuals should attend to the Excel vulnerabilities with urgency. Microsoft is also putting to bed any issues related to Diginotar certificate trust by adding cross signed Diginotar root certificates to the Microsoft Untrusted Certificate Store.

Only five security bulletins are being distributed along with the Diginotar Certificate additions and updates. None are labeled with "Deployment Priority 1". However, in light of the ongoing spearphishing and targeted attacks, the most relevant and important of these arguably is the Excel related bulletin, MS11-072. While it is being listed as "Important", not every enterprise has rolled out the latest version of Excel to all of their systems. A set of "use-after-free" and other heap corruption vulnerabilities that are very difficult to discover with automated auditing frameworks plague the application. These vulnerabilities can be exploited to execute spyware, backdoors, and downloaders of the attackers' choosing on victim systems. Excel related email attachments and links have commonly been used in targeted attacks on organizations and this one should be addressed.

Excel can be a major problem. The RSA breach "2011 Recruitment Plan.xls" file made it very clear how social engineering schemes are used to effectively trick employees - it is important to note that the message was pulled out of the RSA employee's spam folder and opened. This Excel attachment maintained embedded malicious Flash content and exploited the vulnerability right in front of the employee after being opened, effectively delivering its cyber-espionage payload. Now, attackers don't need embedded Flash content to take advantage of employee dependency on Excel.


4 comments

Oldest first
Threaded view
 

Eagle

2011 Sep 15, 17:07
2
 

Vulnerability in Excel?

you mententioned about vulnerability in microsoft excel, is it not safe to use excel? can i(my computer) still be explioted even i always intall updates?

Reply    

Kurt Baumgartner

2011 Sep 15, 20:23
1
 

Re: Vulnerability in Excel?

Hey Eagle,

Using most any technology poses a risk. There are nasty car accidents every day, deadbolts don't always keep burglars out, and bad misspellings still show up in love letters.
Course, Excel is my favorite application of the whole Office package, it's just a really powerful tool. In my book, to call it dangerous or unsafe would be mistaken. But yes, there have been many exploitable flaws in the software and there will be more. The newest versions of Office maintain a sandbox (see "Protected View" posts here... http://blogs.technet.com/b/office2010/archive/tags/protected+view/), development and design of the software have baked better and more secure code into the software, end users are more aware that opening every file coming your way can have serious consequences, and security vendors have dramatically improved response time and protection against software exploits, which all makes exploiting vulnerabilities in Excel and abusing it more difficult. So the name of the game here is reducing the attack surface and opportunities that attackers may have. Reasonable folks prepare for fail.

Simply put, yes, even if you always install updates, there probably remains exploitable vulnerabilities in the software, but the security situation is and can be much improved.

Kurt

Reply    

Eagle

2011 Sep 17, 15:04
1
 

targeted Attack

i always observe my KIS 2012 after i turned on my PC. after the operating system had been launch then after 10 seconds KIS will be started its operation...my question is,can a targeted attack occur before the antivirus will be launch?

Reply    

Kurt Baumgartner

2011 Sep 18, 00:50
0
 

Re: targeted Attack

Hi Eagle- In the situation you described above, it would be highly unlikely. If you were in a coffee shop and had disabled your firewall, there may be a window of attack. Or, if you had another application, like a browser, automatically launch very early at startup and run, I suppose that there may be a possibility. But these are unlikely scenarios.

Btw, most "targeted attacks" that I am referring to involve spearphishing, which requires you to open an email attachment or click on a link within an email message. That activity probably wouldn't happen prior to KIS launch.

Kurt

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog