Report: Hole found in Excel

According to security expert Georgi Guninski, the problem occurs when a user opens an Excel spreadsheet file and chooses to view it with an XML stylesheet. If the stylesheet contains specially formed code, said Guninski in a security note on his Web site, the PC will try to run that code.

"As script kiddies know, this may lead to taking full control over a user's computer," said Guninski. "Excel does not give any warning to the user--just asks whether to use the style sheet or not." However, Guninski added, by default Excel does not display spreadsheet files with the stylesheet.

XML, or Extensible Markup Language, is a system for defining specialized markup languages that are used to transmit formatted data.

On his site, Guninski has posted a sample piece of code that would fool Excel XP into thinking it contains a link to a stylesheet but which in fact runs a command that lists directory contents on the user's PC.

To be safe, said Guninski, users should not use XML stylesheets. Guninski said that Microsoft was notified of the flaw on 23 May. Microsoft did not immediately respond to requests for comment.

The flaw is the latest in a slew of security alerts to hit Microsoft products. Last week the company warned Windows NT and 2000 users of a new flaw in its debugger tools that could give attackers complete control of a system once they've gained basic access to that system.

A week before, Microsoft urged Windows users to download a fix for Internet Explorer after six new flaws were found in the Web browser. The software company called three of the flaws critical, but only one of them--a cross-site scripting error that affects only Internet Explorer 6.0--would allow an attacker or a worm to run a program on the victim's computer.