Microsoft Excel zero-day vulnerability confirmed

By Stan Beer
Monday, 19 June 2006 11:08

Security

In what is turning out to be the most serious security year on record, yet another zero-day vulnerability has been discovered in a Microsoft Office product. This time a hole in the Excel spreadsheet has been found, with at least one attack confirmed by Microsoft.

Just one month ago, a hole was discovered in Microsoft Word, that enabled attackers to gain control of a computer through an infected Word email attachment. No sooner has that problem been patched than a new vulnerability in Excel has surfaced, which allows attackers to gain control of a computer when a user opens a malicious Excel attachment called okN.xls which infects the computer with a Trojan horse.

In a post to a company blog, Microsoft operations manager Mike Reavey said the company had received a single report from a customer being impacted by an attack using a new vulnerability in Microsoft Excel.

"Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker.  (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources," said Reavey.

The new Microsoft Office zero-day Excel vulnerability is so similar to the previous Word vulnerability that some experts believe that the two attacks are connected in an organised criminal conspiracy. With the Word vulnerability, users had to wait weeks until Patch Tuesday to get a fix. It is not clear whether Microsoft will make users wait that long again to receive a patch for the new Office product hole.

If 2006 is going to be remembered for anything apart from the year Microsoft entered the security space, it could very well be the year that email users had to be careful about opening any emails at all. Flaws in non-executable document attachments and vulnerabilities caused by JavaScript code are rapidly combining to make email an unsafe method to exchange information.