Microsoft Warns of Excel Zero-Day Attack

Redmond activates its security response process after learning of a zero-day attack against a new, undocumented Excel spreadsheet vulnerability.

A new, undocumented vulnerability in Microsoft's Excel spreadsheet program is being used to launch computer attacks against specific targets, according to a warning from the software maker.
The vulnerability, rated "extremely critical" by Secunia, is being exploited to load a keylogger Trojan on select targets, according to an anti-virus analyst tracking the latest attack.
The attackers are using booby-trapped Excel documents, sent by e-mail to the target's mailbox. If a rigged .xls document is launched, the exploit happens silently in the background, infecting the machine with a Trojan downloader that opens a backdoor and waits for instructions from a server controlled by the attacker.
An advisory from Redmond's security response center insists the attacks are very limited.
"At this time, we are aware only of targeted attacks that attempt to use this vulnerability. Additionally, as the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited," the company said.
Microsoft said the flaw affects Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac.
Desktop users running Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability.
The company is urging customers who encounter strange Excel documents to contact law enforcement agencies or report the issue to the Internet Crime Complaint Center.
In the absence of a patch, Microsoft recommends that customers use its MOICE (Microsoft Office Isolated Conversion Environment) tool to isolate exploits.
MOICE, available as a free download, can be used in tandem with Group Policy settings to convert documents in legacy (.doc) formats to OpenXML formats, stripping out potentially harmful elements that could pose a potential security risk.
The conversion process takes place in a safe, quarantined sandbox environment, so the user's computer is fully protected. MOICE currently supports the .doc, .ppt, .pot, .pps, .xls, .xlt and .xla file formats.
Microsoft is also encouraging users to use the Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.

For the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's Security Watch blog.