Critical vulnerability in Excel - Updated
According to unconfirmed reports, the anti-virus manufacturer Symantec has found a trojan that seems to use a security hole in Microsoft Excel to remotely execute code on a user's system. The attack is triggered by opening a maliciously crafted Excel file, causing an unspecified remote code-execution vulnerability.
However, details are still scarce. What is known is that Microsoft Excel 2007 is vulnerable and previous versions may also be vulnerable to the attack. The best way to protect against such attacks is to only open files from trusted sources.
Update: Microsoft have now acknowledged that they are investigating reports of the vulnerability, but say they are only aware of limited and targeted attacks attempting to exploit the vulnerability. Microsoft also confirm that an attacker would gain local user rights in the case of successful exploitation.
Malware exploiting the vulnerability will need to convince a user to download an Office file or open an attachment in mail. Microsoft lists Excel 2000 SP3, Excel 2002 SP3, Excel 2003 SP3, Excel 2007 SP1, Excel Viewer, Excel Viewer 2003 and Microsoft Office 2004 and 2008 for Mac as affected by their advisory.
- New exploit uses IE vulnerability, a report from The H.