Zero-day vulnerability in Microsoft Excel

The attack was reported on February 2007. The exploit dropped malware that used www.top10member.com C&C server. According to TrendMicro, the malware functionality was very similar to BKDR_SYKIPOT.B.

Advisory: SB2007020204 - Buffer overflow in Microsoft Excel

Vulnerable component: Microsoft Excel

CVE-ID: CVE-2007-0671

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption

Description:

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malformed records in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

Sykipot campaigns

Sykipot attacks trace back to 2006.

The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information).

According to Symantec, the Sykipot group has Chinese roots.

External links:

https://www.symantec.com/security_response/writeup.jsp?docid=2007-021911-2650-99
https://www.symantec.com/connect/blogs/latest-office-zero-day-vulnerability
https://technet.microsoft.com/en-us/library/security/ms07-015.aspx
https://technet.microsoft.com/library/security/932553
http://blog.trendmicro.com/trendlabs-security-intelligence/the-sykipot-campaign/