New Excel vulnerability being exploited

Stephen Withers
Thursday, 17 January 2008 00:39

Your IT - Home IT

Microsoft's Security Response Center has warned of a targeted attack exploiting a vulnerability in older versions of Excel.

Advice issued by the company does not explicitly state how the attack is being delivered, saying only that maliciously crafted Excel files could be delivered as attachments to emails or downloaded from web sites.

Affected versions of the software are Excel 2003 SP2, Excel Viewer 2003, Excel 2002, Excel 2000, and Excel 2004 for Mac. Microsoft especially warns that there are no known workarounds for the issue for Excel 2000 or 2002. Some protection for Excel 2003 can be obtained by installing the Microsoft Office Isolated Conversion Environment and using that to open Excel files, or an Office File Block policy can be set to prevent the opening of Office documents from unknown or untrusted sources or locations.

Older - now unsupported - versions of the spreadsheet program might also be vulnerable.

Excel 2003 SP3, Excel 2007, Excel 2007 SP1, and Excel 2008 for Mac apparently do not have the flaw.

"At this time, we are aware only of targeted attacks that attempt to use this vulnerability'" said Microsoft officials. "Additionally, as the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited."

The company will "take the appropriate action to help protect our customers", possibly by releasing an update as part of the monthly patch cycle.