Hackers Targeting Microsoft Zero-Day Excel Flaw: Microsoft Offers Kludgey Fix

Late yesterday, Microsoft confirmed in a security advisory (947563) that hackers are targeting a significant vulnerability in multiple versions of Excel. The vulnerability appears to be a previously unknown zero-day, and a successful attack could result in various levels of control over the affected system -- depending on how user rights have been configured.

1 Min Read
Dark Reading logo in a gray background | Dark Reading

Late yesterday, Microsoft confirmed in a security advisory (947563) that hackers are targeting a significant vulnerability in multiple versions of Excel. The vulnerability appears to be a previously unknown zero-day, and a successful attack could result in various levels of control over the affected system -- depending on how user rights have been configured.As is the case with most flaws in Microsoft Office, attacks typically come in the form of a maliciously crafted e-mail attachment or downloadable file on a Web site.

The company is suggesting users running Office 2003 SP 2 use the Microsoft Office Isolated Conversion Environment (MOICE) to convert documents to the new Office open XML format.

That means, the best options for you is caution when opening Excel files from ... anyone. These types of attacks, targeting client software and file formats, have been on the rise in recent years. They've included everything from PDF files to Word documents and PowerPoint presentations. And as it's already been said many times: don't open attachments (never, ever) from unknown sources. For the next few weeks it's a great idea to actually check with friends and co-workers that they actually sent you that Excel file to review.

According to the software company, the flaw may only affect users running Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac.

So far, users of Excel 2007 or those running the just released Excel 2008 for the Mac are not vulnerable. Neither is anyone running Microsoft Office Excel 2003 Service Pack 3.

The security advisory is available here. Hopefully, an actual patch will be available soon.

About the Author

George V. Hulme, Contributing Writer

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights