Microsoft has confirmed field reports of a zero-day vulnerability
in several versions of Microsoft Office. Opening a specially
crafted Excel file may permit an attacker to execute arbitrary
code.
In a
bulletin on its site, Microsoft said it is investigating what
it calls "very limited" reports from the field of a specially
crafted Microsoft Excel file that exploits a vulnerability in
certain versions of Microsoft Office, including: Microsoft Office
2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft
Office 2004 for Mac; Microsoft Office 2007, and Microsoft Works
2004, 2005 and 2006 are not affected.
Opening the Excel file, either as an attachment to an email or
as a link on a Web site, may corrupt system memory in a way that an
attacker could exploit to execute arbitrary code. The attacker
could gain the same user rights as the local user. While the Excel
file is the only known vector at this time, other similar files for
other applications may also exploit this vulnerability.
Saturday the Bethesda, Md.-based SANS Internet Storm Center
(ISC) said the malware, known as Exploit-MSExcel.h, is currently
only targeting Excel, but "other Office applications are
potentially vulnerable."
The French Security Incident Response Team (FrSirt) has
deemed
the issue critical, and vulnerability clearinghouse Secunia has
labeled it highly
critical, the organizations' highest respective levels of
severity.
Microsoft is in the process of developing an update for Office
that addresses this vulnerability, though an update to its Windows
Live OneCare safety scanner removes malicious software that
attempts to exploit this vulnerability. In the meantime, Microsoft
advises users to exercise extreme caution when opening or saving
unsolicited attachments or links on Web sites.