Security researchers have uncovered a serious vulnerability in Microsoft Corp.’s Excel that exposes around 120 million users to attack.

Detailed today by security firm Mimecast Services Ltd., the vulnerability relates to how Power Query, a feature in Excel that is able to pull data from other sources, can be abused.

A would-be hacker is able to use Power Query to dynamically launch a remote Dynamic Data Exchange attack into an Excel spreadsheet to actively control the payload. The vulnerability can also be exploited to launch sophisticated, hard-to-detect attacks that combine several attack surfaces, embed malicious content in a separate data source and even load the content into the spreadsheet when it is opened to compromise the user’s machine.

“The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads,” the researchers said in a blog post. “The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions.”

Microsoft seems to have already known of the potential vulnerability prior to Mimecast’s report. In November 2017 Microsoft published an advisory that included workarounds, including recommending users disable the DDE feature where it is not needed in order to block external data connections. The same advisory did note, however, that users would have to click through a number of security prompts for malicious code to be installed.

There is legitimate concern over the vulnerability as the feature is turned on by default. Meni Farjon, chief scientist of advanced threat detection at cloud email management firm Mimecast, noted that it’s unclear how many organizations are following Microsoft’s earlier advice, saying that “it is unlikely that many organizations have disabled it.”

The only positive from the report is that there are currently no known cases of the vulnerability being exploited in the wild, although that could change now its details have been published.

Microsoft has not published a fix for the vulnerability nor has it indicated that it is working on one, but with 120 million users at risk and now widespread attention, that may change in the near future.

“Mimecast strongly recommends all Microsoft Excel customers implement the workarounds suggested by Microsoft as the potential threat to these Microsoft users is real and the exploit could be damaging,” the report concluded.

Image: Microsoft