Wednesday, January 16, 2008

Microsoft Warns of New Excel Vulnerability

The image “http://geeks.ms/photos/dherraiz/images/14471/original.aspx” cannot be displayed, because it contains errors.

Attackers are exploiting a vulnerability that lies within several versions of the Excel spreadsheet program, Microsoft warned late Tuesday.

The problem in Excel allows a hacker to create a malicious Excel document that when opened can compromise a computer, Microsoft said in an advisory. The vulnerability could allow remote code to be executed on a computer, which means a user risks having their personal data exposed.

Microsoft downplayed the risk, saying only targeted attacks have been seen. But since Microsoft Excel documents are commonly used for business, vulnerabilities such as this pose a greater risk.

"Users are familiar with the document being sent to them and are likely to open it," wrote security analyst Maarten Van Horenbeeck, in a commentary on the Web site for the SANS Internet Storm Center, which monitors Internet threats.

The vulnerability is within the Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and the Mac version, Microsoft Excel 2004.

Those who have installed Office Service Pack 3, which includes updates for Excel as well as other products in the office productivity suite, are not affected, Microsoft said. That service pack was released last September.

Also not affected are Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1 and Microsoft Excel 2008 for the Mac.

A PC user could be attacked a couple different ways. An e-mail with a malicious Excel attachment could be sent, upon which a user would have to download and open it to be exposed, Microsoft said. A hacker could also create a Web site hosting the file and try to persuade people to download it.

Microsoft did not indicate when it would issue a patch for the problem. People who think they may have been attacked can contact Microsoft and their national law enforcement agency.

Source