Zero-day vulnerability in Microsoft Excel

Buffer overflow
CVE-2007-0671

The attack was reported on February 2007. The exploit dropped malware that used www.top10member.com C&C server. According to TrendMicro, the malware functionality was very similar to BKDR_SYKIPOT.B.

Known malware:

Exploit-MSExcel.h.

Vulnerability details

Advisory: SB2007020204 - Buffer overflow in Microsoft Excel

Vulnerable component: Microsoft Excel

CVE-ID: CVE-2007-0671

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description:

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malformed records in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

Known APT campaigns:

Sykipot campaigns

Sykipot attacks trace back to 2006.

The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information).

According to Symantec, the Sykipot group has Chinese roots.

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.