Zero-day vulnerability in Microsoft Excel

Buffer overflow

The attack was reported on February 2007. The exploit dropped malware that used C&C server. According to TrendMicro, the malware functionality was very similar to BKDR_SYKIPOT.B.

Known malware:


Vulnerability details

Advisory: SB2007020204 - Buffer overflow in Microsoft Excel

Vulnerable component: Microsoft Excel

CVE-ID: CVE-2007-0671

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption


The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malformed records in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

Known APT campaigns:

Sykipot campaigns

Sykipot attacks trace back to 2006.

The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information).

According to Symantec, the Sykipot group has Chinese roots.