Thirteen security updates and a cornucopia of exploit code was already a lot for Microsoft customers to digest in one week. Now the software giant is warning of a new zero-day flaw in Excel that attackers could exploit to launch malicious code.
Microsoft Security Response Center Program Manager Mike Reavey said in the center's blog that one customer has reportedly been affected by an attack using a new vulnerability in the spreadsheet program.
"Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," he said. "So remember to be very careful opening unsolicited attachments from both known and unknown sources."
He said the Windows Live Safety Center has been updated to detect the flaw "for up-to-date removal of malicious software that attempts to exploit the vulnerability."
Danish vulnerability clearinghouse Secunia issued an advisory labeling the flaw "extremely critical." That's the firm's highest severity rating and is typically reserved for remotely exploitable vulnerabilities that can lead to system compromise.
"This vulnerability is a so-called zero-day and is already being actively exploited," Secunia said, adding that the flaw is caused due to an unknown error within the processing of specially crafted Excel documents. Secunia confirmed the security hole on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected, Secunia warned.
The Bethesda, Md.-based SANS Internet Storm Center (ISC) is recommending users mitigate the Excel threat by heeding the same advice it offered last month, when Microsoft Word was hit by zero-day exploits. At the time, ISC recommended users observe at least some of the following defenses:
"These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds" for the Excel flaw, the center said.