Attackers are actively exploiting a zero-day flaw in Microsoft Excel to infect and hijack targeted machines, the software giant warned in an advisory yesterday. The only defense at this point is to avoid opening Excel files from untrusted sources.
Microsoft Excel is used in many banking and financial firms and is the most popular spreadsheet application used by businesses for many bookkeeping tasks.
Microsoft Security Response Center spokesman Tim Rains said in an email Tuesday that the vulnerability affects Microsoft Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. Customers who are using Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac or have installed Microsoft Office Excel 2003 Service Pack 3 are not affected, he said.
Microsoft Security Advisory (947563) acknowledges "limited attacks" against the vulnerability. Microsoft said that once its investigation is completed it may release a patch either through its monthly security update or as an out-of-cycle release.
"Microsoft continues to encourage customers to follow the guidance of enabling a firewall, applying all software updates and installing antivirus and antispyware software," the software giant said in the advisory.
In addition to not opening untrusted Excel files, Microsoft recommended Excel 2003 customers consider using the Microsoft Office Isolated Conversion Environment (MOICE) or Microsoft Office File Block policy. MOICE is designed to convert Office 2003 files to the new Office 2007 Open XML format with the goal of squeezing malicious exploits from the file. It creates a "sandbox" with a restricted tolken where documents are scrubbed for malware. Once the malware is ejected, the file can be opened as it normally is in Office 2003.