Recently, security researchers at the Mimecast Threat Center discovered a new vulnerability in the Microsoft Excel spreadsheet application, which has caused 120 million users to be vulnerable to cyber attacks.
The researcher points out that this vulnerability allows an attacker can use Excel’s Power Query tool to enable remote dynamic data exchange (DDE) on a spreadsheet and control the payload. In addition, Power Query can be used to embed malicious code into a data source and propagate it.
What is Power Query?
Power Query is a powerful and scalable Business Intelligence (BI) tool that lets users integrate their spreadsheets with other data sources, such as an external database, text document, another spreadsheet, or a web page, to name a few. When sources are linked, the data can be loaded and saved into the spreadsheet, or loaded dynamically (when the document is opened, for example).
According to Mimecast, Power Query provides sophisticated and powerful features that can be used to perform types of attacks that are often difficult to detect.
“Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened. The malicious code could be used to drop and execute malware that can compromise the user’s machine.”
For this discovery, Ofir Shlomo wrote in a blog post:
“The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads. The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions.”
As part of the Coordination of Vulnerability Disclosure (CVD), Mimecast worked with Microsoft about this vulnerability. Unfortunately, Microsoft did not release a bug fix for Power Query but instead provided a solution to alleviate this problem.