Microsoft Warns of New Excel Vulnerability

By NewsFactor Network | February 6, 2007

Microsoft is investigating another zero-day vulnerability in its Office suite of productivity applications after confirming that a critical, unpatched flaw exists in Excel.

The flaw is called a “zero-day vulnerability” because there is no patch to fix it, which means that hackers can actively exploit it. While Microsoft’s next scheduled round of Windows updates is next Tuesday, there is no word yet on whether a patch will be released at that time to fix the flaw.

Redmond is investigating a limited number of attacks designed to exploit the vulnerability in several versions of Office, including 2000, 2002, 2003, and 2004 for the Mac.

Excel Threat

In order for this attack to be carried out, according to a security advisory released by Microsoft, a user must first open a malicious Office file, which would typically arrive as an e-mailed attachment — a common strategy among malware writers. If the attached file is opened, it would give the attacker the same user rights as the victim has.

The vulnerability also can be exploited through a Web-based attack. In this case, the attacker would host a Web site that contains an Office file designed to corrupt system memory and allow the attacker to execute arbitrary code on the targeted computer.

Although Excel is the focus of the vulnerability, other Office applications are potentially at risk, according to Redmond. And while Microsoft stressed in the advisory that attackers have no way of forcing users to visit a malicious Web site or open a malicious file, the company did not immediately respond to requests for comment on the possibility of issuing an Excel patch prior to the February 13 round of updates.

Some users are still waiting for patches for four other critical flaws in Microsoft Word, leaving that software open to attack on at least two fronts. Microsoft has noted that…

Bookmark and Share :-)