CSV Formula injections have been known for a while now, with many security solutions handling these kinds of attacks.
The most common way of dealing with this threat is by applying a regex rule to detect the specific pattern used by Excel in its formulas, the most famous tool (and open-source) is MSODDE of oletools.
As time passes, researchers and attackers are trying to bypass these regex.
We’ve found that Japanese customers are not fully protected by these regex as double-byte Japanese characters can still activate formulas in Japanese versions of excel. To be precise, it is suffice to have a Japanese language pack installed and enabled.
As of writing these lines, these files bypass oletools msodde module and others alike.
The characters are:
| ⇒「\uFF5C」
! ⇒「\uFF01」
= ⇒「\uFF1D」
+ ⇒「\uFF0B」
− ⇒「\uFF0D」
@ ⇒「\uFF20」
Here is a short demonstration:
MSRC does not consider this to be a security issue by itself so we strongly advise Japanese users of Office to assess their environments and security solutions – as there will not be any Microsoft issued security updates on this matter!
We encourage you to try our Disarmer or start a free trial.