16 January 2008, 10:36

Critical vulnerability in Excel already being exploited

Microsoft has released a security advisory concerning a security vulnerability in its Excel spreadsheet application which can be exploited by attackers to run malicious code. According to the security advisory, the vulnerability is already being actively exploited.

The bug affects Microsoft Office Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2002, Excel 2000 and Microsoft Excel 2004 for Mac. The company has not released any details of the vulnerability. However, Excel 2007, Excel 2008 for Mac and Excel 2003 with Service Pack 3 are apparently not vulnerable.

Users of older versions of Excel should be able to protect themselves by using the Microsoft Office Isolated Conversion Environment (MOICE). To do so users must install all available Office updates, plus the Office 2007 file format compatibility pack.

MOICE is available from the Windows update website. After installation, Excel files then need to be associated with MOICE. This can be carried out from the command line using the commands ASSOC .XLS=oice.excel.sheet, ASSOC .XLT=oice.excel.template and ASSOC .XLA=oice.excel.addin. This makes MOICE convert Excel files to the Office 2007 format upon opening, filtering out any potentially dangerous code. Users of older versions of Office can open the converted files by installing the compatibility pack, but won't be able to convert files without Office 2003 or 2007 installed.

According to the security advisory from Microsoft, targeted attacks using crafted Office documents are currently being carried out. Attacks of this type, especially on company management and board members, have already been seen last year. The Microsoft development team is still looking into the vulnerability, and it's not currently known when a fix for the vulnerability will be released.