Another Excel 2003 file format exploit discovered in the wild
A new and reportedly dangerous exploit has been discovered already in the wild, and this time it affects users of Excel with the older file format.
Security firm Secunia today is classifying as extremely critical an exploit involving versions of Excel 2003 prior to Service Pack 2. Though Microsoft released a security advisory on the problem this morning, there are no available details as to the nature of the exploit.
However, it would appear its discovery -- unusually for the present day -- was on account of the exploit already having been released in the wild this time, for a true "zero-day" affair.
According to a Microsoft security advisory released yesterday, public reports alerted the company to the vulnerability. It's advising customers once again not to open Excel 2003 documents from an untrusted source, or to use a tool called the Isolated Compatibility Environment (MOICE), part of the Office Compatibility Pack, to convert files into the new Office Open XML format. Through the Compatibility Pack, the converted files would still be accessible through Excel 2003, according to a Microsoft Knowledgebase article published last May.
Back in June 2006, Microsoft reported a critical vulnerability caused by Excel 2003 files, which it said at that time could trigger remote code execution. This week's vulnerability was described with somewhat less detail: Apparently a maliciously crafted Excel file can elevate the privileges of limited accounts. Usually that can result in the capability of running code remotely, though Microsoft did not specify that explicitly, which could mean that this week's vulnerability may invoke the trigger but may not carry a malicious payload.