Mimecast security researchers have discovered a vulnerability in Power Query, a feature in Microsoft Excel that exposes 120 million users to a possible attack. A patch is not yet available.
Power Query is a business intelligence tool that allows users to integrate their Excel spreadsheets with other data sources, such as an external database, text document or other spreadsheet. When sources are linked, data can be loaded and saved in the spreadsheet, or loaded dynamically, for example, when the document is opened.
The leak in Power Query can be exploited to dynamically remotely launch a Dynamic Data Exchange (DDE) attack in an Excel spreadsheet and actively manage the payload. According to Mimecast, more advanced attacks are also needed, which are difficult to detect and combine different attack surfaces.
“Power Query allows attackers to embed malicious content in a separate data source and then load the content into the spreadsheet when it is opened. The malicious code can be used to drop and execute malware that can endanger the user’s computer”, the Mimecast researchers illustrate in a blog post.
Bypassing the sandbox
The feature offers such extensive capabilities that it can even be used to fingerprint a victim’s sandbox even before a payload is delivered. “The attacker has the ability to deliver a malware payload to the victim, while the file looks harmless to a sandbox or other security solution,” said the researchers.
The vulnerability is worrying because Power Query is enabled by default in Excel. However, Microsoft seems to have been aware of the problem for some time. In November 2017, it published a security advice with workarounds, including the recommendation to disable the DDE function when this is not necessary. However, there is no patch yet and it is not known if Microsoft is already working on it.
The good news is that Mimecast hasn’t found any cases where vulnerability is exploited in the wild, although that could change quickly now that the information has been made public. “Mimecast strongly recommends that all Microsoft Excel customers implement the solutions proposed by Microsoft, since the potential threat to these Microsoft users is real and the exploit may be harmful,” the researchers conclude in their report.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.