Microsoft is warning of zero-day attacks against users of some older versions of Excel.
Versions of Microsoft Office Excel containing the zero-day vulnerability include Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2002, Excel 2000 and Excel 2004 for Mac.
The vulnerability is caused due to an unspecified error in the handling of Excel files, and can be exploited via a specially crafted Excel file with malformed header information, according to a Secunia advisory. Exploit code is publicly available, Secunia warned.
The attacks have so far been limited in scope, according to a Microsoft security advisory. In the advisory, Microsoft said it believes the risk to customers at this time to be "limited" as the attacks are targeted and the vulnerability has not been "publicly disclosed broadly".
However, no patch is currently available and Microsoft is advising customers who believe they have been attacked to contact their national law-enforcement agency. For example, US customers who believe they are victims of a cyberattack should contact the FBI. UK users have no such option as currently there is no centralised unit that the crime can be reported to. Law-enforcement professionals advise UK businesses to report suspected cybercrime to their local police.
Email-borne attacks on this vulnerability require the user to open an attachment to become infected. Infected websites must be visited by the user, which Microsoft claimed was a mitigating factor. One method for luring victims to infected websites is to persuade them to click on a link in an email or IM, said Microsoft.
Users running Microsoft Office Excel 2003 Service Pack 2 that have deployed Microsoft Office Isolated Conversion Environment (MOICE) are not affected by this vulnerability. MOICE can be used as a sandbox to test suspect files, but is primarily meant to be used to convert files from Office 2003 binary documents to the Office Open XML format used in Office 2007.
Miicrosoft claimed another mitigating factor is that Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, and Microsoft Excel 2008 for Mac do not suffer from this vulnerability.