Microsoft confirms Excel flaw; outlines defense

The Microsoft Security Response Center has confirmed ongoing attacks against Excel and is recommending that users either run files through a tool that strips out exploit code or block Office 2003 and earlier formats except for those from trusted locations.

In its advisory MSRC late Tuesday said:

Microsoft is investigating new public reports of vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. At this time, our initial investigation indicates that customers who are using Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability.

When the software giant is done investigating, it said it will "take appropriate action," which means it may or may not issue a patch. Microsoft last patched an Excel edition in August.

Microsoft also downplayed the vulnerability and noted that it was only aware of targeted attacks and the flaw hasn't been disclosed broadly (until now). "We believe the risk at this time to be limited," said Microsoft. For instance, the vulnerability can't be exploited on Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, or Microsoft Excel 2008 for Mac.

However, an "attacker who successfully exploited this vulnerability could gain the same user rights as the local user," said Microsoft. Translation: This could be a real headache if the hacker snares an admin account.

As for the attack vector, the vulnerability can't be exploited automatically via email, but a user has to open an attachment--this is no comfort to me since users always open attachments.

Microsoft notes:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Excel file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's site.

The workaround for this bug depends heavily on the Microsoft Office Isolated Conversion Environment (MOICE), a free Office conversion tool that was released last year. If any attachment looks suspicious, Microsoft recommends running it through MOICE. This approach will protect Office 2003 installations, but you're out of luck if you have Excel 2002 or Excel 2000, two versions that don't have workarounds.

This KnowledgeBase document has the more details on MOICE.

A cruder workaround would be to block Office 2003 and earlier documents from unknown sources. There are dangers to this approach and only the technically inclined (your admin) should use it. The file blocking approach is your last ditch effort.