Security researchers have devised a method to abuse a legitimate Microsoft Excel technology named Power Query to run malicious code on users’ systems with minimal interaction. ZDNet reports: Power Query is a data connection technology that can allow Excel files to discover, connect, combine, and manipulate data before importing it from remote sources, such as an external database, text document, another spreadsheet, or a web page. The tool is included with recent versions of Excel and available as a separate downloadable add-in for older Excel versions.
In research published today and shared with ZDNet, Ofir Shlomo, a security researcher with the Mimecast Threat Center, described a technique through which Power Query features could be abused to run malicious code on users’ systems. The technique relies on creating malformed Excel documents that use Power Query to import data from an attacker’s remote server. “Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened,” Shlomo said. “The malicious code could be used to drop and execute malware that can compromise the user’s machine.” Mimecast’s technique can even bypass security sandboxes that analyze documents sent via email before allowing users to download and open them. Microsoft has yet to issue a fix for the vulnerability, but did release an advisory document for users, offering a way to beef up security.