back to article Another reason to hate Excel: its Macros can help pivot attacks

A white-hat has taken a good look at whether you can pivot an attack from one machine to others using Microsoft Excel, and you probably won't like what he found. The researcher, Matt Nelson of SpecterOps (@enigma0x3) writes that he's found loose default launch and access permissions, meaning a macro-based attack doesn't need …

  1. Pascal Monett Silver badge

    "assuming a machine in the group is already pwned"

    So the walls are already breached. This is just one possible bit of mayhem that will follow.

    Well, if the walls are breached and a machine is pwned, I think there are much more serious threats to worry about. But hey, good on Microsoft for finding yet another way to be a nuisance.

    1. Roland6 Silver badge

      Re: "assuming a machine in the group is already pwned"

      >Well, if the walls are breached and a machine is pwned, I think there are much more serious threats to worry about.

      "As you all may know, VBA macros have long been a favorite technique for attackers. Normally, VBA abuse involves a phishing email with an Office document containing a macro, along with enticing text to trick the user into enabling that malicious macro. The difference here is that we are using macros for pivoting and not initial access. Due to this, Office Macro security settings are not something we need to worry about. Our malicious macro will execute regardless."

      The only question really is how many users out there who run MS Office are local administrators and thus make it worth while running the attack.

      1. Wensleydale Cheese

        Re: "assuming a machine in the group is already pwned"

        "The only question really is how many users out there who run MS Office are local administrators and thus make it worth while running the attack."

        Every Soho user who has set up their own network and accepted the out of the box default of Admin rights for the first user created on each system?

      2. Anonymous Coward
        Anonymous Coward

        Re: "assuming a machine in the group is already pwned"

        Every exec type (real or imagined) out there who believes they are immune to social engineering (the AV logs say otherwise...) and insists no policies apply to them?

    2. Anonymous Coward
      Anonymous Coward

      Re: "assuming a machine in the group is already pwned"

      "While it's restricted to users with Local Administrator group privilege, the vector remains serious enough"

      If you have local admin access you already effectively own the PC anyway. To connect to DCOM on a remote PC you also need to be authenticated as an admin or as a user in the "Performance Monitor Users" or "Remote Management Users" group

      "as well as turning on Windows Firewall"

      Which is on by default.

      1. bombastic bob Silver badge

        Re: "assuming a machine in the group is already pwned"

        cracking a windows admin-level user password across a LAN - how long does that take these days?

        1. Anonymous Coward
          Anonymous Coward

          Re: "assuming a machine in the group is already pwned"

          "cracking a windows admin-level user password across a LAN - how long does that take these days?"

          The same as it always has - billions of years for a complex password - and pretty much impossible if the default lockout settings are enabled.

          If you have local access to the hashes then they can be cracked with rainbow tables up to about 8 characters. Above that it needs brute force.

  2. The Original Steve

    Appreciate this isn't great, but running without a firewall and with local admin is kind of asking for trouble these days.

    1. yoganmahew

      And how do you stop helpless desks turning admin running state on as a 'fix' for all sorts of bugs they have neither the training nor the budget to fix properly? Now I have a half dozen applications that require admin access to run, so I no longer notice which one is looking for admin access, just keep filling in the password popup :|

      1. Anonymous Coward
        Anonymous Coward

        "And how do you stop helpless desks turning admin running state on as a 'fix' for all sorts of bugs they have neither the training nor the budget to fix properly"

        The two common methods I have seen are audit admin groups and fire anyone that makes unauthorised changes and secondly to regularly reset the local admin group to default settings via group policy.

  3. Gotno iShit Wantno iShit

    Waddyamean 'Another reason to hate'?

    Excel is the stand out item of no-total-shit in my desktop work life, I'm not going to hate it.

    I can hate that Microsoft are trying to ruin it with The Fucking Ribbon™, styles (that fall apart and bloat your file), and various dumbing down. I truly hate anyone who uses merged cells with wanton abandon, or uses Excel to create a 10 page document with one page of spreadsheet at the back or course the authors of 90% of the VBA I see. But Excel itself does it's job.

    If you want me to hate an application in my daily life lets have a chat about Word shall we?

    1. bazza Silver badge

      Re: Waddyamean 'Another reason to hate'?

      No, I won't accept this. Slurs on Word or Excel are unfair, unwarranted, and ridiculous. Such excellent pieces of code should be loved by all, marvels of usability and usefulness.

      At least, that's how they are compared to Visio.

      1. Sir Runcible Spoon

        Re: Waddyamean 'Another reason to hate'?

        I won't hear a word said against Visio, it's equally at home making floor plans for my house as it is creating complex network diagrams that no-one will ever understand.

        However, I think we can all get behind the pitchfork that needs to be wielded at MS Project. (I realise that there is a lower form of life in the MS stable, but I'm loathe to even mention it).

        1. Anonymous Coward
          Anonymous Coward

          Re: Waddyamean 'Another reason to hate'?

          Ah, MS Project, the simple spreadsheet which MS keepy recycling and charges many hundred or even thousands for. I acquired the 2003 version when I was actively managing many projects and have never seen the need at all to upgrade to later versions. I guess the same could be said for other Office software but there are some genuine improvements there, although many feck ups too. MS Project though is really unchanged from a PM perspective and all the subsequent enterprise EPM stuff is really way OTT.

          1. Sir Runcible Spoon

            Re: Waddyamean 'Another reason to hate'?

            I don't know if Project can actually do this, but if it is I've never seen a PM use it yet.

            There must be a way to track time elapsed, as well as effort.

            For example, ordering equipment. Raising a PO and placing the order etc. = x hours. Lead time for getting the kit on site = x weeks.

            If you put 'x weeks' alongside that task someone will ask you why it takes that long to order kit. If you put 'x hours' then they'll harass you every 10 minutes as to why the kit hasn't arrived yet when that task is complete.

            Try and separate those kind of tasks out for the whole project and it turns into a monster. There should be a way to have a task that has 'x hours' of effort, but has 'x weeks' of duration.

            Anyone know?

            1. 2+2=5 Silver badge

              Re: Waddyamean 'Another reason to hate'?

              > Try and separate those kind of tasks out for the whole project and it turns into a monster. There should be a way to have a task that has 'x hours' of effort, but has 'x weeks' of duration.

              I just add an "await delivery" task following 'place order'. If you've inherited someone else's plan then sometimes it is easier to split a task into a rollup and have 'place order' and 'await delivery' in the rollup so that existing dependencies aren't lost.

              1. Sir Runcible Spoon

                Re: Waddyamean 'Another reason to hate'?


                I hear what you're saying, but there are lots of other tasks where there are hidden delays that are difficult to reflect in a plan - that was just an example.

                Another one is change requests. It might take 2 hours to write a request, but then it has to be peer reviewed and possibly amended, then submitted. Then it goes through the change approval process etc. which can be anything from x to x*5 depending on the number of changes in the system. If there lots of changes that need to be raised as part of the plan, you end up multiplying the number of tasks etc. massively.

                What I'd like to see is a way to have tasks that require effort being represented differently from tasks that require time (eg two weeks time to perform 1 hours of effort). Otherwise the change team will look like they are spending two weeks on a single change, when in reality they are working on 50 other changes at the same time (for different projects etc.).

                Awkward I know, but there must be a better way to reflect this kind of difference.

                1. DuchessofDukeStreet

                  Re: Waddyamean 'Another reason to hate'?

                  Sir Runcible

                  You can do that one by allocating the resource for less than 100% for a given task. I'm actually quite a fan of MSP (very sad I know) and the only failing I've found with it to date is its complete inability to display two plans side by side.

                  As for that other MS abomination of Powerpoint, well...that shouldn't be allowed within half a mile of anyone who actually has to think for a living. Leave it to fluffy sales droids and creative marketers but keep it away from the rest of us! (I once had to work with someone who insisted on drafting project plans in PP - her justification was that it was the only way she could get something simple enough to understand. Which says more about her IQ than the product. Miaow.

      2. Jakester

        Re: Waddyamean 'Another reason to hate'?

        Nice comparison ... comparing Excel and Word with Visio. Take a look at the Microsoft Store reviews of Visio:

        7 of the 14 reviews give it a 1-star rating for an average of 2.5 (as of today). Basically, a bucket of bovine excrement appears to have more value than Visio. Years ago, I did use a pre-Microsoft version of Visio, and it was an excellent product. Microsoft appears to have fixed that problem.

        I don't use Word or Excel, except when providing tech support for those unwilling to use a better, less costly product, or who have to use it because a government agency, insurance company, etc, requires them to run macros and a very specific version of Office. To be fair, I haven't bothered to experiment with recent versions of Word to see if formatting changes when another printer is selected or if when placing more than 4 or so pictures in a document caused all the images to change position (even if they were anchored). My time is too valuable to me than to do this type of meaningless exercise just for the fun of it.

    2. Tom 38

      Re: Waddyamean 'Another reason to hate'?

      I'd love to hate Excel at work, but sadly I'm only allowed to hate LibreOffice Calc. Cheap bastards.

    3. 2+2=5 Silver badge

      Re: Waddyamean 'Another reason to hate'?

      > But Excel itself does it's job.

      It would be better if there were a (truly seamless) mode which embraced named ranges fully and disallowed cell ranges. That would make debugging a lot simpler. And the sheet need no longer be a single, rectangular sheet -- just a series of ranges.

      Also a macro language that allows procedural code (whether basic based or something else) that only works within Excel - no access to the PC or Windows at all. There are plenty of simple automation tasks that don't really require full-blown VBA and the associated security permissions hassles that accompany it.

  4. LDS Silver badge

    This is not limited to Excel - but any DCOM server able to download and execute other code

    But to be able to use it you need to have a valid login in the Administrators group (which may include domain admins) - which means you can already compromise the machine in many different ways, or be in the "Distributed COM Users" group *and* the default or per application security settings have been modified to allow such group, or the default security settings (default or per application) have been modified to allow access, launch and activation of a given application.

    You can remove administrators from the DCOM security settings, or remove "remote ...." privileges, but then many remote management applications will stop working.

    It's not different than other types of remoting - in some ways it's even more granular because you can set ACLs down to the single API level if the application supports it, but it is so complex and difficult to configure (and DCOM is not firewall friendly) that is not rare to see machines left wide open because of someone needing to use a DCOM server without the skills to configure it properly.

    1. Christian Berger

      Now add to that, that there was OPC

      OLE for Process Control required OLE and DCOM to be enabled before the recent switch to OPE-UA (which uses some sort of XML over HTTP).

      However since process control systems run for decades, it's very likely that many highly critical systems still use that.

  5. Anonymous Coward
    Anonymous Coward

    "There are mitigations, but he warns they might be troublesome....."

    Just remove admin rights from those that have no need for it. The biggest trouble you will have is from spoilt brats that MUST have they BT broadband software on there, because erm because,,,,they just do dammit!

    If you have a programme that "must" have admin rights, for most there are ways around it.

  6. Anonymous Coward

    Nothing to see here...

    So a student found out that if you're a local administrator you can access a machine remotely. No shit sherlock.

    There are also some serious flaws in his argumentation. For example the part where he demonstrates remote access through PowerShell. For starters: WSMan:\localhost\Client\TrustedHosts. Good luck creating instances through PowerShell remotely (or even starting new sessions) when the remote host isn't in the list of trusted hosts. Any remote access attempts would be rejected.

    Maybe also interesting to know: this setting can only be changed locally by the administrator.

    You can see the whole thing if you check his script on Github.

    This is a non-issue.

  7. Anonymous Coward

    You are spoiling us Mr El Reg

    Another MSFT two minute hate! What a time to be alive!

  8. Version 1.0 Silver badge

    Strip them all

    This is why our mail server removes all .xls and related files from incoming emails. Attachments? I don't like them, I hates them.

    1. Ramlen

      Re: Strip them all

      So how do finance send/receive all of their lovely mashups to partners in your org?

      1. Anonymous Coward
        Anonymous Coward

        Re: Strip them all


        Now you've got me started.....

    2. Anonymous Coward
      Anonymous Coward

      Re: Strip them all

      "This is why our mail server removes all .xls and related files from incoming emails."

      We just set Group Policy so that Office will only run signed macros or those stored in specifically approved folders....

  9. unwarranted triumphalism

    Can I blame Apple for this?

    I'm going to anyway.

  10. Anonymous Coward
    Anonymous Coward

    Opening PDF / XLS / DOCS / XLSx / DOCx

    Even with AV / Firewall.... How safe is it to open these with a live-net-connection? The clever part is usually in the payload. So cut it off at source?

    That won't help with 'exec format c:' type classic destructive viruses / macros etc. But normally Malware / Keyloggers / Ransomware require downloaded payloads, and will generally break without a live connection, yes, no, maybe?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022