FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(03.22.2008) - "...On March 21, 2008 a public exploit was released for the Microsoft Excel Header Parsing Remote Code Execution Vulnerability (BID 27305). This vulnerability was originally published on January 15, 2008 as an unidentified issue due to reports of targeted exploitation occuring in the wild. It was later patched as part of MS08-014 on March 11, 2008, which addressed a number of different Excel issues.
Microsoft Excel Header Parsing Remote Code Execution Vulnerability
( http://www.securityfocus.com/bid/27305 )
MS08-014 ( http://www.microsoft.com/technet/security/...n/MS08-014.mspx ) This is the first of the issues addressed by MS08-014 to have a public exploit available and therefore will likely see public exploitation in the future. The vulnerability specifically involves an uninitialized stack variable issue which was explained by Microsoft in a recent blog posting:
MS08-014: The Case of the Uninitialized Stack Variable Vulnerability
( http://preview.tinyurl.com/2lw6c6 ) [blogs.technet.com/swi]
At the time of writing we are not aware of any public exploitation incidents involving this exploit, however we are anticipating attacks to occur in the near future. Users are advised to apply the updates available in the MS08-014 bulletin immediately. Those unable to do so are advised to review the workarounds listed in the bulletin and avoid opening Excel documents where possible."

FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(2008.03.26) - "...This issue is now being exploited by a website in the wild. The attack vector that is used differs from what is typically observed for this type of vulnerability. Normally, an attacker will spam Excel files to potential victims so as to leverage the vulnerability. In this case, the exploit is hosted on a site, and the victim is silently redirected to the exploit in a similar strategy to how ActiveX client-side vulnerabilities are exploited. Specifically, the exploit XLS document is hosted in the domain 'lntop.info'. Victims are then redirected to this site through an IFRAME that is embedded in another site... Symantec AntiVirus detects the malicious XLS file as Trojan.Mdropper.AA. Customers are advised to:
- Ensure that antivirus software is up to date.
- Block access to the domain 'lntop.info'.
- Install the updates in the Microsoft Security Bulletin MS08-014."

> http://www.microsoft.com/technet/security/...n/MS08-014.mspx



This post has been edited by AplusWebMaster: Mar 26 2008, 11:54 AM