VRT Advisories

VRT Rules 2006-06-28

Sourcefire VRT Advisory

Date: 2006-06-28


The Sourcefire VRT has continued research into a vulnerability affecting Microsoft Excel and has updated the DocCheck tool to process xls files to determine the presence of an exploit.


Microsoft Security Advisory (921365) Microsoft Excel contains a programming error that can allow a remote attacker to run code of their choosing on an affected host system via the processing of a malformed .xls file. The issue is present in the dynamic link library file HLINK.DLL which handles Universal Resource Identifiers (URI) embedded in office documents.

The DocCheck tool has been updated to process xls files to determine if the file contains possible exploit code for this vulnerability.

DocCheck tool download

download zip archive here

Instructions for use

  1. Unzip the archive
  2. Open a command shell
  3. Execute the tool executable with a document name for checking


Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.