Microsoft Warns Over Excel Flaw
Microsoft on Monday issued a security advisory for the vulnerability in Excel that was disclosed by the company's Security Response Center on Friday. According to Microsoft, Zero-day attacks are being carried out against a vulnerability in Excel 2000, 2002, 2003 and Excel 2004 for Mac.
The exploit, currently being sent via e-mail, could give an attacker the same rights as a user, which could lead to a full system compromise. Although Excel 2002 and 2003 prompt a user before opening a potentially malicious Excel file, Excel 2000 does not.
Microsoft is currently investigating the issue, and has updated its Windows Live Safety Center with definitions to remove malware installed by the exploit. The Redmond company is also working with its security partners to make sure their products also detect an attack.
In the meantime, Microsoft says users can take a number of steps to protect themselves from the vulnerability. Excel 2003 users can prevent the software from entering "Repair Mode," which is where the attack takes place. However, this step requires manually editing the registry.
Administrators can also block all incoming Excel files at the gateway, or prevent Outlook from opening them as attachments. But this approach will not prevent a Web-based attack, Microsoft notes. Users can also remove the association with Excel so an XLS file is not able to be opened.
It is likely that Microsoft will release a patch for the vulnerability in its next Patch Tuesday release slated for July 11.
"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," the company said in the advisory.