Last Updated: 2006-06-19 21:08:13 UTC
by Adrien de Beaupre (Version: 2)
Update: A perl script was published on Milw0rm, which appears to exploit *some* Excel vulnerability. It creates a spreadsheet inclusing a very long URL. Once the user click on the URL, Excel will crash. As our reader Dominic pointed out, the script does not claim to be the 0day under discussion. Virustotal does not trigger any signatures based on the Excel file generated by the exploit.
Juha-Matti, a regular ISC contributor has written up some information into a FAQ. This is with regards to a recently discovered previously unknown vulnerability in Microsoft Excel. Gotten tired of the phrase '0day'? I sure have.
Although I do not entirely agree with all of his advice, I think that the first and only defense is - defense in depth.
Do NOT rely solely on antivirus.
Do NOT rely solely on filtering by extension.
Do NOT open Excel files that appear unsolicited in your mailbox.
No single tool or measure is sufficient.
I am hoping that the point is getting accross, do not rely on traditional defensive measures, it is quite likely they will prove inadequate against a custom made targeted trojan built just to penetrate your infrastructure. Particularly using an undisclosed vulnerability. No signature based tool can help you in this case.
Last Updated: 2006-06-19 16:55:48 UTC
by Johannes Ullrich (Version: 2)
Update: All feedback we received so far points to the microsoft.fr being an isolated issue.
Microsoft confirmed that this does not appear to be a 0-day exploit. The defaced website was outsourced and not under direct Microsoft control. No other Microsoft website was hit.
Some persistant rumors talk about a possible new exploit (0-day?) against IIS 6.0. The defacement of experts.microsoft.fr is used as evidence. At this point, we have nothing to support that claim. If you have any additional evidence, please let us know . An image of the alledged defacement can be found at flikr: http://www.flickr.com/photos/affandesign/169734004/in/photostream/. Also see http://www.zone-h.org/content/view/4767/31/ for a mirror of the defacement.