February 5, 2007 7:20 AM PST

Excel under zero-day attack, Microsoft warns

Microsoft is warning of an Excel-focused zero-day attack that affects several versions of its Office software, including one for Macs.

In its security advisory issued Friday, Microsoft warns people of a "very limited" zero-day attack that takes advantage of vulnerabilities in the Excel spreadsheet program.

The "extremely critical" Excel vulnerabilities are found in Microsoft Office 2000, Office 2003 and Office XP, as well as in Office 2004 for computers running Apple's Mac OS, according to a separate advisory from security company Secunia.

Attackers are sending e-mails with malicious Excel attachments and are hosting Web sites that house Office files that attempt to take advantage of the security flaws, according to Microsoft. Once an attacker exploits the vulnerabilities, they can gain control of a person's system remotely.

Microsoft noted that the vulnerabilities may extend beyond Excel.

"While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," Microsoft said in its advisory.

Microsoft is telling people to avoid opening or saving Office files that come from distrusted or unknown sources, or files that are e-mailed unexpectedly from trusted sources.

Earlier this month, Microsoft issued patches for five security flaws in Excel as part of its monthly patch cycle. In June, Excel was hit with another zero-day attack.

A zero-day attack is one that exposes software bugs before they have been patched.

See more CNET content tagged:
Microsoft Excel, Microsoft Office, attack, vulnerability, Apple Computer

16 comments

Join the conversation!
Add your comment
Confused -
I cannot run Office XP on Mac/OS X. How can that be?
Can only run Offices XP on Windows OS...
Posted by ArturoYee (20 comments )
Reply Link Flag
You can run it
Using Parrallels or Fusion or Bootcamp . Parrallels will run the
environment in a virtual machine bootcamp will need you to boot
to xp but then again there is OpenOffice that runs perfectly on the
mac .
Posted by MacHeads (70 comments )
Link Flag
Deal of the day; and, a simple solution...
... for you - Run OpenOffice on eComStation (formerly OS/2 Warp - Windows' better half-brother and the OS that banks and the "smart" Russians love) You get OpenOffice (with plenty of Lotus SmartSuite "code" inside) for "free" and you pay less than half-price the price of Windows for eComStation. Quite sure you do not need a rocket scientist to tell you what your savings will be. And just imagine - you do not get locked-in a proprietary office suite!
Posted by Commander_Spock (3123 comments )
Link Flag
Office:mac 2004
Unless the article has been modified it seems pretty clear that the
Mac-aspect of it refers to a vulnerability within the version of Excel
distributed as part of the Office:mac 2004 package. While this is
disturbing news in that a virus writer can use Excel 2004 as a
backdoor into OS X it isn't particularly worrying since it continues
to rely on the user opening the malicious spreadsheet so active
participation is necessary.
Posted by kelmon (1445 comments )
Link Flag
Confused -
I cannot run Office XP on Mac/OS X. How can that be?
Can only run Offices XP on Windows OS...
Posted by ArturoYee (20 comments )
Reply Link Flag
You can run it
Using Parrallels or Fusion or Bootcamp . Parrallels will run the
environment in a virtual machine bootcamp will need you to boot
to xp but then again there is OpenOffice that runs perfectly on the
mac .
Posted by MacHeads (70 comments )
Link Flag
Deal of the day; and, a simple solution...
... for you - Run OpenOffice on eComStation (formerly OS/2 Warp - Windows' better half-brother and the OS that banks and the "smart" Russians love) You get OpenOffice (with plenty of Lotus SmartSuite "code" inside) for "free" and you pay less than half-price the price of Windows for eComStation. Quite sure you do not need a rocket scientist to tell you what your savings will be. And just imagine - you do not get locked-in a proprietary office suite!
Posted by Commander_Spock (3123 comments )
Link Flag
Office:mac 2004
Unless the article has been modified it seems pretty clear that the
Mac-aspect of it refers to a vulnerability within the version of Excel
distributed as part of the Office:mac 2004 package. While this is
disturbing news in that a virus writer can use Excel 2004 as a
backdoor into OS X it isn't particularly worrying since it continues
to rely on the user opening the malicious spreadsheet so active
participation is necessary.
Posted by kelmon (1445 comments )
Link Flag
I See - only 2004 version for Macs
I see now ...
Posted by ArturoYee (20 comments )
Reply Link Flag
I See - only 2004 version for Macs
I see now ...
Posted by ArturoYee (20 comments )
Reply Link Flag
A New Microsoft Twist or what?
Microsoft usually denies other's claims of a zero-day flaw while they claim their engineers are checking up on it.

But this time around... Microsoft comes out with the information first?!?!?! (* BAFFLED *)

Microsoft still has 4 Zero-day Word flaws as of yet still in an unpatched state and now this Excel one... and brought up by Microsoft first!!!

Somebody has been aware of the flaw since they showed it to Microsoft (probably several months ago) and they probably pushed Microsoft to come out with this notice themselves...

Otherwise it's just not Microsoft-ish at all!

Likewise... even though they mention the zero-day flaw... where's the patch for it and/or when will it be released... along with the other 4 Word zero-day flaws?

No mention of them here either... now that's Microsoft-ish!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
A New Microsoft Twist or what?
Microsoft usually denies other's claims of a zero-day flaw while they claim their engineers are checking up on it.

But this time around... Microsoft comes out with the information first?!?!?! (* BAFFLED *)

Microsoft still has 4 Zero-day Word flaws as of yet still in an unpatched state and now this Excel one... and brought up by Microsoft first!!!

Somebody has been aware of the flaw since they showed it to Microsoft (probably several months ago) and they probably pushed Microsoft to come out with this notice themselves...

Otherwise it's just not Microsoft-ish at all!

Likewise... even though they mention the zero-day flaw... where's the patch for it and/or when will it be released... along with the other 4 Word zero-day flaws?

No mention of them here either... now that's Microsoft-ish!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.