UGNN / UG Library / Life Online . . . . . . . . Got Newsletters? Add A Link
Reprinted with permission of Computer World Magazine. All rights reserved.

At Press time Deborah wanted to add the following: First of all, it turns out the Netscape browser 4.5 is not vulnerable to this attack. And second, there's information on CALL disabling at Microsoft's site - http://www.officeupdate.microsoft.com/downloadDetails/xl97cfp.htm - or
http://www.microsoft.com/security/bulletins/ms98-018.asp.

Excel Problems Bring EMail Virus

by Deborah Radcliff

(IDG) -- "Suppose it's possible to send an e-mail containing a hidden construct," said an information security director. "And when the user opens that e-mail, the construct will run without the user ever knowing anything."
. . . Imagine those constructs can do anything their creator wants them to: Secretly copy and download proprietary information, delete the BIOS or reformat your machine.

It's real.
The security director, who asked for anonymity, was talking about Russian New Year with a twist.

Discovered in January, Russian New Year exploits the Microsoft Excel CALL functions used to call other Excel functions such as create, write, close, execute and sum.
. . . So what's the twist? Originally, the only way to contract the virus was to visit a Web page and click an HTML link. Now, Russian New Year can be sent via mass mail programs, with the link embedded or as an attachment. Newer browser programs will automatically execute CALL to fetch the embedded document or prepare to open the attachment -- so the e-mail recipient needn't even open the e-mail to get infected.
. . . "Russian New Year is a way of attacking you without you knowing you've been attacked. It really does this," said Ira Winkler, president of Severna Park, Md.-based Information Security Advisors Group and author of Corporate Espionage (Prima Publishing, 1997).
. . . The good news: There are no known reports of Russian New Year attacks on enterprises. And that's why most folks just don't want to talk about it -- they're afraid of letting the cat out of the bag. "If Russian New Year wasn't publicized, people might not exploit it. On the other hand, there are a lot of users who are vulnerable," Winkler said.
. . . Now the bad news. The hack is so subtle, it's likely that if they have been hit, security administrators don't know it. Excel spreadsheets, for example, could be easily and secretly copied to a browser, according to an April 17 alert issued by Finjan Software Ltd., an Israel-based maker of mobile code security software (www.finjan.com/rny/rny1.cfm).
Sneak attack
. . . Under certain conditions, users wouldn't have to manually open HTML attachments or click on embedded links to let the attack in.
. . . "Russian New Year gives attackers the ability to deliver any payload they want," said Penny Leavy, Finjan's senior vice president of global marketing. "Your antivirus software won't catch this. Your firewall won't catch this."  
. . . More bad news: The attack is difficult to prevent. Microsoft Corp. has patches, but only for Excel 97. If your users are running Excel 95, you must first upgrade them to Office 97, then load service releases 1 and 2, then load the patch -- which pretty much kills the CALL function altogether. "Until vendors configure Web browsers to not allow embedded Excel CALL functions, this problem really can't be fixed unless you cancel your Excel CALL functions," Winkler said. Unfortunately, "some people ... use the CALL function all the time," he added.
. . . Financial services firms, for example, rely on CALL to import data from their enterprise resource planning software databases into spreadsheets, Leavy said.
. . . The simplest fix is education. Remind users not to open HTML attachments or click embedded links in e-mail files unless they explicitly trust the source, Winkler said. But there's another possible diabolical twist, he adds: If New Year is teamed up with the mass-mailing technology behind the recent Melissa virus, the e-mail will appear to come from a trusted source.
. . . Leavy suggests raising browser-security levels and configuring dialog boxes to send alerts when a program or a Web site is set to call other functions.
. . . Because there's no simple way to block Russian New Year, Winkler advises information technology managers to ask, "Is the benefit of using CALL functions worth more than the potential risk of using them?"


Radcliff is a freelance writer in the San Francisco area. Her Internet address is derad@aol.com

UGNN / UG Library / Life Online
Got Newsletters? Add A Link

Great Mac, PC Stuff . Great Mac, PC Stuff . Great Mac, PC Stuff . Great Mac, PC Stuff

© 2001  USER GROUP NETWORK All rights reserved ... Having a Problem?   Report it here .

This site is sponsored in part by: The Association of Apple Computer User Groups: providing a global organization of user group to user group services and benefits for both user groups and individuals with an interest in Apple Computers, Macintosh, iMac, iBook, G3, G4, and Powerbooks ~ The User Group Academy: user group service organization recognizing outstanding accomplishments in the user group community, featuring the annual user group Academy Awards ~ The Graphic Design Network: graphic design community hosting servers providing online presence for all these organizations featuring Creative FOLIO services and vortal portfolios for creative designers, illustrators, photographers, writers, and anyone involved creatively in the visual arts or design communications fields ~ The Design & Publishing Center: content portal for creative designers, illustrators, photographers, writers, web designers, and anyone involved creatively in the visual arts or design communications fields ~ The News Serve Network providing news and newsletter content to newsletter editors in the user group community ~ 60-Second Window: the longest running syndicated column in the user group community, since 1990 ~ DT&G: Design, Type & Graphics Magazine serving the visual communications community since 1990 ~ the Designers' Bookshelf: with all the best books for designers, illustrators, layout artists, web designers, photographers and the creative visual community~ the Publishers' Warehouse: reviewed shareware, fonts, clip art, and design templates from around the world, since 1987. For information about the UGNetwork, to get involved or have your own groups' home page located at user-groups.net, please contact us. Send an e-mail message to: UGNetwork@user-groups.net copyright 1994 - 2001; ALL RIGHTS RESERVED - The User Group Network c/o Showker Graphic Arts & Design, a Corporation of the Commonwealth of Virginia, 22801, established in 1972.