Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker.

In order to avoid the possibility of being compromised by this vulnerability just do not open attachments from untrusted, unreliable authors. This is a best practice that should be followed daily. If you are already weary about opening attachments from unknown senders then you are on the right track.

Here’s what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources.

There probably will not be a patch until the next Patch Tuesday so be on the lookout for any malicious activity that may attempt to exploit this vulnerability.

Out of the eight critical fixes, 2 resolve Internet Explorer vulnerabilities, 1 is for Windows Media Player, 2 are for the Windows operating system itself, 1 is for Word and 1 is for PowerPoint. The Word patch reconciles a major security issue regarding a highly-publicized zero-day exploit, which has already used in conjunction with a number of attacks. The vulnerability can be exploited after a user opens a specially crafted Word file with a malformed object pointer, allowing for code execution.

There is also a cumulative patch for Internet Explorer, which fixes five code execution vulnerabilities, a spoofing flaw, and an issue that could pose both an information disclosure or spoofing risk. Modifications to the way that Internet Explorer handles ActiveX controls is also included in the IE cumulative update.

It is highly recommended that all organizations take the necessary steps required in order to install these patches, especially considering the critical exploits that they resolve.

SocketShield is the world’s first dedicated zero-day exploit blocker. Using a unique combination of research technologies, a deep understanding of anti-malware techniques, and skilled coding, the software is able to block exploits from entering your computer, regardless of how long it takes for the vendors of vulnerable applications to issue patches - or how long it takes for you to install those patches.

As the name implies, SocketShield works at the socket level. Sockets are the points of entry used by your computer to allow programs to be downloaded from the web and other sources; these sockets can be opened and closed to enable or prevent downloads. SocketShield uses the knowledge gained through its multiple research channels to determine whether any download is an exploit and to close any socket that a known or suspected exploit is attempting to use.

Certainly sounds like an intriguing tool that I am very interested in test-driving. A free trial is available, which I intend to download and install this week sometime. Look for an upcoming article that details the software and its capabilities.

The security flaw manifests itself through the way Skype handles Uniform Resource Identifiers (URIs) that point to names or addresses referring to resources.

Security-Assessment.com discovered that with one type of URI handler installed by Skype it was possible to include additional command-line switches. One such switch will set up a file transfer session that will allow data written to the local hard disk to be sent to another Skype user.

For an attacker to succesfully exploit the flaw he must know the exact name and location of the file he wants to transfer on the victim’s computer. The attacker must also authorise the victim, Security-Assessment.com says. This is easily done, with the attacker simply adding the victim to his contact list.

Skype programmers have been alerted to the exploit and are actively working on a solution. Look for an update to this widely used VoIP application in the very near future.

1. [SA20153] Microsoft Word Malformed Object Code Execution Vulnerability
2. [SA19762] Internet Explorer “object” Tag Memory Corruption Vulnerability
3. [SA20107] RealVNC Password Authentication Bypass Vulnerability
4. [SA19738] Internet Explorer “mhtml:” Redirection Disclosure of Sensitive Information
5. [SA20261] Cisco VPN Client Privilege Escalation Vulnerability
6. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing
7. [SA18680] Microsoft Internet Explorer “createTextRange()” Code Execution
8. [SA20288] Novell Netware abend.log User Credentials Disclosure
9. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
10. [SA20300] Basic Analysis and Security Engine “BASE_path” File Inclusion

Secunia offers a number of easy ways to be notified of the latest and greatest security vulnerabilities associated with all the software available. Get on one of their mailing lists, or subscribe to an RSS feed, so that you can be immediately notified of any exploits that your network might be vulnerable to.

This exploit is currently only proof of concept and the severity is unknown. Look for further information to be released later in the week, as more people are made aware of the vulnerability.

“This is definitely wormable. Once exploited, you get a command shell that gives you complete access to the machine. You can remove, edit or destroy files at will,” said eEye Digital Security spokesperson Mike Puterbaugh.

Oddly enough, Symantec’s Personal Firewall was designed to protect against this vulnerability, which means that the company was somewhat aware of this issue. Look for a patch to be issued within the coming days.

An attacker who constructs a Skype URL that is malformed in a specific way can initiate the transfer of a single named file from one Skype user to another, provided that the sender follows the malicious link and that the recipient has previously authorized the sender.

The exploit is not a simple one but one nonetheless. There is already an updated version of Skype available, which addresses this issue. If you are a Skype user then it is suggested that you upgrade immediately.