An advisory notice by Cert, the security service run by Carnegie Mellon University, has alerted users to a major security oversight in Microsoft Office.
Cert said in the notice: "Microsoft Excel and PowerPoint may not detect malformed macros, so a user can unknowingly run macros containing malicious code when opening an Excel or PowerPoint document."
Microsoft and anti-virus companies have tightened security in the word-processor to minimise the risk of an attack following the havoc caused by Melissa, the first widespread macro virus to target Microsoft Word users in 1999.
The latest vulnerability focuses on Excel and PowerPoint, two applications that have previously not been affected by macro viruses.
Cert claimed that an intruder could trick a victim into opening a document using a vulnerable version of Excel or PowerPoint, and then take on the victim's permissions. This means that the intruder could read, delete, or modify data; send mass e-mail worm attacks, or modify the victim's security settings.
Users are being asked to exercise caution when opening attachments. Richard Brain, technical director at network security firm ProCheckUp, said that this latest vulnerability, combined with another new security hole in Internet Explorer, could pose as serious a threat as Nimda, the virus which wreaked havoc on the Internet in September.
He said that the latest security issue in Internet Explorer concerned Microsoft security zones, a technique used by system administrators to control a user's level of security on the Internet, intranet and trusted networks.
A Microsoft security bulletin alerted users to a potential security flaw in this system, which allows a hacker to change the user's security zone setting for Internet site to the same as the more secure intranet settings.
Brain suggests that it would, in theory, be possible for a hacker to combine an Excel/PowerPoint macro attack with an attempt to change security settings in Internet Explorer.
The user would then be unprotected against another Internet-based attack. "The one piece missing for another Nimda attack is a flaw in the IIS Microsoft Web server," he concluded.