Microsoft has confirmed field reports of a zero-day vulnerability in several versions of Microsoft Office. Opening a specially crafted Excel file may permit an attacker to execute arbitrary code.
In a bulletin on its site, Microsoft said it is investigating what it calls "very limited" reports from the field of a specially crafted Microsoft Excel file that exploits a vulnerability in certain versions of Microsoft Office, including: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac; Microsoft Office 2007, and Microsoft Works 2004, 2005 and 2006 are not affected.
Opening the Excel file, either as an attachment to an email or as a link on a Web site, may corrupt system memory in a way that an attacker could exploit to execute arbitrary code. The attacker could gain the same user rights as the local user. While the Excel file is the only known vector at this time, other similar files for other applications may also exploit this vulnerability.
Saturday the Bethesda, Md.-based SANS Internet Storm Center (ISC) said the malware, known as Exploit-MSExcel.h, is currently only targeting Excel, but "other Office applications are potentially vulnerable."
The French Security Incident Response Team (FrSirt) has deemed the issue critical, and vulnerability clearinghouse Secunia has labeled it highly critical, the organizations' highest respective levels of severity.
Microsoft is in the process of developing an update for Office that addresses this vulnerability, though an update to its Windows Live OneCare safety scanner removes malicious software that attempts to exploit this vulnerability. In the meantime, Microsoft advises users to exercise extreme caution when opening or saving unsolicited attachments or links on Web sites.