Microsoft is advising Excel users to “exercise extreme caution” when opening unsolicited attachments from known and unknown users.

More security problems for Excel users

The company is investigating reports of a “very limited”  zero-day attack that takes advantage of a vulnerability in Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac.

How the attack works is that a user must first open a malicious Office file, which may be attached to an e-mail or downloaded from a web site.

While Microsoft is only aware of this vulnerability being exploited in Excel, the company acknowledges that other Office applications are possibly vulnerable to this form of attack. 

The Windows Live OneCare safety scanner has been updated by Microsoft to detect and remove the malicious software that attempts to exploit this vulnerability.

Microsoft says it is currently developing a security update for Office that will address the vulnerability.

Excel appears to have suffered from a number of security problems recently, with Microsoft issuing patches for five Excel security vulnerabilities in January.

Incidentally, if you’re wondering what zero-day means in the context of a vulnerability, Wikipedia offers a good definition:

“Zero-day exploits are released before, or on the same day the vulnerability — and, sometimes, the vendor patch — are released to the public. The term derives from the number of days between the public advisory and the release of the exploit … the vulnerability affected unpatched systems for zero days.”

Related:

Entry was posted on Monday, February 5th, 2007 at 11:36 am under Microsoft, Security.

Read more entries by John Pospisil.
Stumble It!