Sign up to our newsletter
There was a comment posted today on an article on the SC Magazine site from someone who seemed to think we were talking up an obsolete exploit. He seems to have been thinking about this one: "Microsoft Security Bulletin MS08-014 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)". (Which fixes this issue, too.)
Sadly, there have been more vulnerabilities than one in Excel allowing remote code execution. The vulnerability that’s made use of by the malware/exploit we detect as X97M/TrojanDropper.Agent.NAI is the vulnerability referred to here and here.
(We also have generic detection for the vulnerability, going by the name of X97M/Exploit.CVE-2009-0238.Gen, so you should be protected against other malware exploiting the same vulnerability. If you’re still confused by the difference between vulnerabilities and exploits, take a look at Randy’s blog here.)
However, while checking back to ensure that I hadn’t somehow mixed up advisories (I hadn’t!) I noticed that 968272, which considers the current, unpatched problem, is now up to version 2.1.
As of March 5, 2009, Open XML File Format Converter for Mac was removed from the list of affected software in the Overview section. It turns out that it isn’t affected by the vulnerability described in advisory 968272. As far as I can see, that’s the only difference, but if that utility is of any concern to you, it appears to have been found not guilty.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET