[German]Security researchers pointed out a few days ago a potential vulnerability in Microsoft Excel Power Query add-in that could allow a new attack vector. Office security mechanisms can be bypassed and the user does not need to actively intervene to launch the attack. Microsoft does not want to bring a fix, but there are workarounds. Here is some information on this topic.
There are many (known) vulnerabilities in Microsoft Office. Most blog readers probably know that macros are a gateway for malware – this is exploited by some malware variants. But for such exploits the user need to confirm the macro execution. But the OLE and DDE automation interfaces that Microsoft provides in Office also may be misused by malware. And this is precisely where the new vulnerability outlined by security researchers lies. German blog reader 1ST 1ST had pointed this out here and blog reader Ralf had already pointed it out within this comment. I also got a mail from blog reader Robert R.
Power Query: What’s the weakness?
Microsoft Excel 2016 and 2019 include the Power Query function as an add-in by default. In Microsoft Excel 2010 and 2013, you can install the Power Query add-in later from thes download site.
Power Query is a powerful and scalable business intelligence (BI) tool that allows users to integrate their spreadsheets with other data sources. For example, an external database, text document, spreadsheet, or Web page can be integrated into an Excel worksheet or spreadsheet. Once the sources are linked, the data can be loaded (via DDE automation interface) and saved in the spreadsheet or dynamically loaded (e.g. when opening the document).
Security researchers from Mimecast released this document a few days ago, that pointed out that the Power Query feature may be used to exploit a vulnerability in Microsoft Excel that allows malicious code to be executed. Power Query can be used to launch sophisticated, hard to detect attacks that combine multiple attack vectors. With Power Query, attackers can embed malicious content in a separate data source and load it into the spreadsheet on opening (without the user having to click anything). The malicious code could be used to run malware that could compromise the user’s computer.
The team of the Mimecast Threat Center has developed a Proof of Concept (PoC) technique based on this knowledge to introduce malware via Power Query. The PoC uses a Remote Dynamic Data Exchange (DDE) attack to launch an Excel spreadsheet and then actively download and run the malware via Power Query.
According to security researchers, the feature has such a comprehensive control system that it can be used to capture a sandbox or a victim’s machine with a fingerprint even before payloads are delivered. The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while making the file appear harmless to a sandbox or other security solutions.
What does Microsoft say?
In the first step it is helpful to know what Microsoft has to say about the whole story. Therefore, here are some explanations of the terms and references to Microsoft’s security advisories.
What is DDE?
In Microsoft Office, there are several methods for transferring data between applications. The DDE protocol is a collection of messages and policies. It allows you to send messages between applications, share data, and use shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfer and continuous exchange, where applications send each other updates as new data becomes available. It is also known that the DDE interface can be used for all kinds of malicious functions.
Microsoft has deactivates the DDE interface in Word in 2017
In October 2017 there were malware attack campaigns that exploit a DDE vulnerability in Microsoft Word to distribute malware. This forum entry also documents this attack path. Opening a compromised Word document file is enough to download and run the malware via the DDE interface. People received an email with invoices or the like in English with a .doc file attached. Whoever opened this Word file triggered the download of the malware via Word’s DDE mechanism.
Microsoft provided a security advisory ADV170021 | Microsoft Office Defense in Depth Update and a patch to shut down the DDE interface. The advisory describes registry entries for Word and Excel to manually disable the DDE interface in Excel and Word. During the December 2017 Patchday, Microsoft then released security updates for Word 2017 (KB4011575)) through Word 2007 that are supposed to disable DDE functionality.
However, these measures to close the DDE vulnerability proved difficult. I had mentioned the problems in the blog post Is Microsofts (Word) DDE-Patch failed partially?
Excel security mechanism tricked out
Back to Power Query and Microsoft Excel. Microsoft has implemented a security mechanism starting with Excel 2016. To load content using Power Query, Excel 2016 or later requires the user to double-click the target cell of the table. This security mechanism is intended to prevent the Power Query data from being loaded automatically. In earlier versions of Power Query, a user confirmation was not necessary, the content was loaded automatically. This was the lever to override this security mechanism..
The security researchers at Mimecast have found a way just too trivial to trick the new security function that will be available in Excel 2016. To do this, they simply created the Excel workbook with Power Query in an older Excel version. Then the ‘backwards compatibility feature’ comes into play: Starting with version 2016, Excel opens the table of a workbook created in older versions and loads the Power Query query automatically – so the user does not need to do anything.
Then Mimecast’s security researchers managed to manipulate the Power Query query so that they could add a specific query header (referer) in “Advanced Mode”. This allows to download malware from a server. With further tricks, the researchers have introduced delay methods in the Proof of Concept to make analysis in the sandbox more difficult. The downloaded malware function only becomes active after 10 minutes. With this Proof of Concept it is possible to bypass the Excel security functions and execute malware via Power Query queries on the computers. The details can be found in the Mimecast article.
Mimecast has contacted Microsoft prior to the disclosure under the Coordinated Vulnerability Disclosure (CVD) process. The purpose was to determine whether it was an intended behavior for Power Query or whether it was a problem. Microsoft refused to release a solution at that time and instead offered a workaround in the form of Security Advisory (4053440) from October 2018 to mitigate the problem. The security advisory goes into great detail on the relevant workarounds to permanently disable the DDE interface in various Office modules and versions.
Mimecast strongly recommends all Microsoft Excel customers to implement the workarounds proposed by Microsoft. The potential threat to Excel users is real and an attack could be devastating. Heise reports here that in a test with Virus-Total none of the virus scanners detected an Excel file with a malicious Power Query query.