Excel security

More whining about Excel (in)security here.

I’d just like to highlight something I think a few people are missing.

.xls danger doesn’t start and end with dodgy VBA or XLM. Those are issues for sure, as both are very powerful languages.

It is possible to have a .xls file with some dodgy binary in it. eg by using a hex editor. When Excel opens the file and tries to parse the binary, it could overflow leaving your machine vulnerable. The workbook may have neither VBA or XLM, it may not even have any cell values.

This is called fuzzing, it was big in 2007, and Excel was a favourite target. Microsoft have also done a lot of work in this area, and their fuzzing has driven a lot of the recent service pack updates.

Just because you disabled macros doesn’t make you safe.

Also when you sign a workbook you only sign the VBA project, the workbook stream (and others) can still be modified without breaking the signature.

Just saying..

cheers

Simon

Advertisements

6 Responses to “Excel security”

  1. Marcus Says:

    That Hex editor comment is right on the mark. You may have seen a question on the Excel List a week or so ago about password crakers. One respondent included a link to a german site which showed how to crack the VBE password changing two characters in the Excel binary file using a Hex editor.

    So I tried it, first on some of my own xla’s and then some commercial ones. I was shocked. I understood it wasn’t hard, but didn’t realise it was that easy. Essentially, expect for the completely unitiated, Excel has no security.

  2. Ross Says:

    Marcus you’re quite right, although the workbook level password is a bit better than the VBIDE one, I think!

    But i tell you what how about this, don’t open excel workbooks – or anything else that looks dodgy! If people knew what they were doing all this s@*t wouldn’t be an issue!

  3. Stephane Rodriguez Says:

    The Microsoft Excel team lately has reduced the attack surface on cleverly corrupt files. They have filled a couple of holes, but it’s still wide open. Problem, in Excel 2007, they’ve been adding a ton of new code, some of which they are just licensing from third parties. In addition to .xls vulnerabilities (which indeed don’t need VBA macros to activate), we’ll probably see Excel 2007 vulnerabilities now as people start using it to save in the new file formats.

  4. Simon Says:

    Marcus
    I wrote an add-in to do it – getting the menu to show up right in the VBAIDE was harder than finding the chars changing them and reloading the xls.

    Ross Workbook open protection do you mean? that is better, workbook structure is the same as worksheet – weak.

    Stephane – isn’t Excel 2007 a bit rare to be worthwhile as a target? ;-). the bad guys might do better to target Quattro Pro.

  5. Ross Says:

    Yes, the open password.

  6. sam Says:

    Marcus…

    The Hex Editor hack for a VBA project password wont work on an 2007 addin/ File with protected code… So i guess that counts as an improvement in 07…But I guess its only a matter of time before some clever person finds out now to do it in a 07 file..

    Bye the way….save a excel file with VelvetSweatshop as the password… and be amazed at the result

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: