June 28, 2019

If you use Excel – and who doesn’t? – you have a security vulnerability that could enable a ransomware virus or other malware attack.

Its only been a few days since Microsoft alerted users to an attack that used an Excel feature to compromise Windows machines. Now researchers at Mimecast have found a weakness in the spreadsheet software that allows cybercriminals to install malware.

According to researchers, Excel’s Power Query business intelligence tool can be used to launch complex and difficult-to-detect hacks that incorporate a number of breach techniques.

Attackers could put infected content in a separate data source, and use Power Query to load it into the spreadsheet when it is opened. The malicious code could then be used to install malware that compromised the user’s computer.

Power Query lets users pull data from multiple sources into one spreadsheet in order to analyse it and find correlations. Data sources can include external databases, web pages, text documents, or other spreadsheets.

Once the sources are linked, malicious code attached to a data source can be loaded automatically when the document is opened – also opening the door to infection.

Struggling to get security right in Redmond

Microsoft has put a lot of money and effort into turning around perceptions that it is weak on security.

Either by virtue of the fact that it runs the world’s leading computer operating system and office productivity suite, or because it was simply too slow to address vulnerabilities in the past, MS has traditionally had a bad rep in IT circles.

Over the last decade or so Redmond has spent like Midas to add best-in-class security features to its products, monitor vulnerabilities and patch them quickly once they’re found.

They have got better. But all the M&A activity has made a massive computing ecosystem even more massive, and – perhaps inevitably – MS continues to be a macro-level fun fair for cybercriminals.

Still king of the breach

Analysis by researchers at Recorded Future found that Microsoft products remained the most consistently targeted by cybercriminals in 2018.

Eight of the top ten vulnerabilities were focused on MS software and operating systems – up from seven the previous year.

Top Microsoft-enabled exploits last year included:

The number one exploited vulnerability of 2018: CVE-2018-8174, its designation in the US National Vulnerabilities Database run by US tech compliance body the National Institute of Standards and Technology (NIST).

Called Double Kill, it’s a remote code execution flaw that can be exploited using Internet Explorer. It was included in four of the most effective exploit kits used by cyber criminals last year, and helped infect victims with some of the most insidious types of banking trojan and ransomware.

Another widespread exploit was CVE-2017-11882. First revealed in December 2016, it’s a Microsoft Office vulnerability that allows non-approved code to run when an infected file is opened – again putting users at risk of having malware installed on their computer. The vulnerability has featured in a number of malicious campaigns.

Vulnerability CVE-2016-0189 was the top ranked IT weakness of 2016, ranked second in 2017 – and still made the top 10 last year.

The zero-day exploit for Internet Explorer is still going strong almost three years after it arrived, suggesting there’s a real issue with users not applying updates to their browsers.

How to manage Microsoft’s many, many vulnerabilities

Patches are available for all the flaws on the above list – but getting people and organisations to update their systems when prompted is an ongoing issue in cybersecurity.

The most costly cyberattack in recent memory – Equifax’s mega breach of customer data – happened in part because the company had failed to implement a publicly available security patch to one of its servers. The vulnerability had been announced by the US Dept. of Homeland Security months before the attack.

Applying the appropriate patches to operating systems and applications can go a long way to stopping some the most commonly deployed cyber attacks.

Having front line staff actively observing and reporting potential attacks or odd behavior in the applications they use, is just as important.

From yet-undiscovered exploits in popular software tools, to poor processes and simple human fallibility, every organisation has cyber weaknesses that criminals will, one day, use to mount an attack.

Investing in the latest defensive technologies and making sure their patched is critical, but technology alone can’t offer bulletproof guarantees.

The best security systems in the world are both susceptible to human error and all the known unknowns in software development. A programme of security awareness training can strengthen them by switching your people on to the risk of data breaches, whether from a phishing email, botnet infection, or an outside caller with an unexpected information request.

With better training and education, staff can help spot the signs of a breach, and avoid enabling them through misadventure and error.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: