Excel under zero-day attack, Microsoft warns

By Dawn Kawamoto
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: Microsoft reissues Excel security update
January 18, 2007; Microsoft leaves Word zero-day holes unpatched
January 9, 2007; Security from A to Z: Zero-day
November 27, 2006; 'Critical' patch for Office coming
September 7, 2006; New Excel zero-day flaw used in attacks
June 16, 2006

Microsoft is warning of an Excel-focused zero-day attack that affects several versions of its Office software, including one for Macs.

In its security advisory issued Friday, Microsoft warns people of a "very limited" zero-day attack that takes advantage of vulnerabilities in the Excel spreadsheet program.

The "extremely critical" Excel vulnerabilities are found in Microsoft Office 2000, Office 2003 and Office XP, as well as in Office 2004 for computers running Apple's Mac OS, according to a separate advisory from security company Secunia.

Attackers are sending e-mails with malicious Excel attachments and are hosting Web sites that house Office files that attempt to take advantage of the security flaws, according to Microsoft. Once an attacker exploits the vulnerabilities, they can gain control of a person's system remotely.

Microsoft noted that the vulnerabilities may extend beyond Excel.

"While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," Microsoft said in its advisory.

Microsoft is telling people to avoid opening or saving Office files that come from distrusted or unknown sources, or files that are e-mailed unexpectedly from trusted sources.

Earlier this month, Microsoft issued patches for five security flaws in Excel as part of its monthly patch cycle. In June, Excel was hit with another zero-day attack.

A zero-day attack is one that exposes software bugs before they have been patched.

See more CNET content tagged:
Microsoft Excel, Microsoft Office, vulnerability, attack, Apple Computer

Add a Comment (Log in or register) 16 comments

Confused -
by ArturoYee February 5, 2007 9:21 AM PST: I cannot run Office XP on Mac/OS X. How can that be?
Can only run Offices XP on Windows OS...; Reply to this comment View all 3 replies
Processing

Confused -
by ArturoYee February 5, 2007 9:21 AM PST: I cannot run Office XP on Mac/OS X. How can that be?
Can only run Offices XP on Windows OS...; Reply to this comment View all 3 replies
Processing

I See - only 2004 version for Macs
by ArturoYee February 5, 2007 9:24 AM PST: I see now ...; Reply to this comment

I See - only 2004 version for Macs
by ArturoYee February 5, 2007 9:24 AM PST: I see now ...; Reply to this comment

A New Microsoft Twist or what?
by wbenton February 6, 2007 6:15 AM PST: Microsoft usually denies other's claims of a zero-day flaw while they claim their engineers are checking up on it.

But this time around... Microsoft comes out with the information first?!?!?! (* BAFFLED *)

Microsoft still has 4 Zero-day Word flaws as of yet still in an unpatched state and now this Excel one... and brought up by Microsoft first!!!

Somebody has been aware of the flaw since they showed it to Microsoft (probably several months ago) and they probably pushed Microsoft to come out with this notice themselves...

Otherwise it's just not Microsoft-ish at all!

Likewise... even though they mention the zero-day flaw... where's the patch for it and/or when will it be released... along with the other 4 Word zero-day flaws?

No mention of them here either... now that's Microsoft-ish!!!

Walt; Reply to this comment

A New Microsoft Twist or what?
by wbenton February 6, 2007 6:15 AM PST: Microsoft usually denies other's claims of a zero-day flaw while they claim their engineers are checking up on it.

But this time around... Microsoft comes out with the information first?!?!?! (* BAFFLED *)

Microsoft still has 4 Zero-day Word flaws as of yet still in an unpatched state and now this Excel one... and brought up by Microsoft first!!!

Somebody has been aware of the flaw since they showed it to Microsoft (probably several months ago) and they probably pushed Microsoft to come out with this notice themselves...

Otherwise it's just not Microsoft-ish at all!

Likewise... even though they mention the zero-day flaw... where's the patch for it and/or when will it be released... along with the other 4 Word zero-day flaws?

No mention of them here either... now that's Microsoft-ish!!!

Walt; Reply to this comment

Latest tech news headlines

Unisys hopes ex-Gateway chief can turn it around
Posted in News - Business Tech by Jennifer Guevin

October 7, 2008 7:35 PM PDT
CEA: Economy down, TV sales up
Posted in Crave by Leslie Katz

October 7, 2008 6:25 PM PDT
Click-to-buy links for songs, games added to YouTube
Posted in News - Digital Media by Jennifer Guevin

October 7, 2008 5:57 PM PDT
See all headlines

Resource center from News.com sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Unisys hopes ex-Gateway chief can turn it around
Struggling IT services company has chosen Edward Coleman, a man it says has a long history of transforming troubled tech companies, to take over as CEO.
Gallery
Photos: Messenger returns to Mercury
Crave
CEA: Economy down, TV sales up
Sales in flat-panel TVs and game hardware should do fine during the upcoming holidays, the Consumer Electronics Association says.
Outside the Lines
No escape from the perfect financial storm
After this perfect storm, brewed out of years of habit and taken down by mortgages for the masses, consumers and businesses will be far more conservative in their spending habits.
Video
Mercury exposed
News - Digital Media
Click-to-buy links for songs, games added to YouTube
YouTube is adding links to Amazon.com and the iTunes Store from the pages of thousands of its videos, making it easier for people to buy an MP3 they hear or a video game that looks good.
Video
DIY political ads proliferate
News - Politics and Law
CBS live Webcast: Presidential debate, round two
Continuing our coverage of Election 2008, CBS News and CNET are presenting a live Webcast of Tuesday's presidential debate, followed by Web-only analysis and commentary.
News - Cutting Edge
Astronaut training awaits Esther Dyson
The tech pundit and investor is girding for six months of training at Russia's Star City, as an understudy to International Space Station-bound Charles Simonyi.
Gallery
Photos: Top 10 reviews of the week
Crave
HTC Touch HD won't be coming to the U.S.
HTC announces that it will not bring the Touch HD smartphone to the United States.
Green Tech
Army plans 500-megawatt solar thermal farm
A new Army energy strategy includes plans for what could become the world's largest solar thermal farm, as well as geothermal and biomass-to-fuel projects.