Microsoft confirms 0-day in Excel, expands list of vulnerable systems

Microsoft has confirmed that the code execution vulnerability reported yesterday in Excel is real, and has expanded the list of vulnerable systems.Microsoft has stated that the code execution vulnerability discovered by Symantec, now known by CVE number 2009-0238, is legitimate.

Microsoft has confirmed that the code execution vulnerability reported yesterday in Excel is real, and has expanded the list of vulnerable systems. Microsoft has stated that the code execution vulnerability discovered by Symantec, now known by CVE number 2009-0238, is legitimate. They have also expanded their list of vulnerable versions to include all fully patched versions of Excel from 2000 onwards.

Microsoft has provided additional recommendations on how to avoid being compromised by the vulnerability until a patch is available, including recommending the use of MOICE to effectively defang any malicious documents as well as avoiding any Excel file that is compatible with Office 2003 or earlier.

Don't look too smug there, Mac users; Office 2004 and Office 2008 for the Mac are vulnerable, and MOICE is a Windows-only product.