This is a follow up to David Harley’s post “Targeted Excel Malware Revisited.” I know that for some people “exploiting a vulnerability” is no clearer than the US tax code, so I’ll try to make it a bit more understandable.

A “vulnerability” simply means that there is a problem with a program. In this case the program is Excel and the problem is that a spreadsheet can be created so that when it is opened with Excel it will be able to run other programs that you do not want to have run. If someone sends you an Excel file, (the file name usually end with .xls or for Excel 2007 .xlsx) you probably should not open it until you verify that it came from a person you know and that they meant to send it to you. Why ask if someone you know meant to send you something? Because all information in email can be spoofed. The “from” email address can be made to say it is from someone you know, even though it is not.

Exploiting the vulnerability simply means taking advantage of the problem with the program to gain access to your computer. If you apply Microsoft’s security patches then the problem is fixed and you are no longer vulnerable to this attack.

Usually the way this Excel vulnerability is exploited is by including a small program with the spreadsheet. When the spreadsheet is opened then the problem in Excel allow the other program to be run as well. This program will probably download a larger program to do the really mean things, like steal your passwords, or install remote control software on your computer.

If you should open such a file, there is a chance an antivirus program, such as ESET NOD32 or Smart Security, can detect the file that is being downloaded to do the really harmful stuff, but in this case the detection David mentioned, “X97M/Exploit.CVE-2009-0238.Gen.” id for the actual attempt to exploit the program. In other words, when the bad guys send you a spreadsheet designed to exploit the problem (vulnerability) in Excel, we detect the attempt. This is a lot like the difference between detecting someone trying to pick the lock on the bank’s front door and detecting when someone is inside and calling their cohorts to help rob the bank!

If you have any questions about this or other general security topics, feel free to email me at askeset.@eset.com. Note the askeset address is not for tech support.

Randy Abrams
Director of Technical Education