updated 07:20 pm EST, Mon February 5, 2007
Excel 'zero-day' attack
Microsoft last week began warning users of new “zero-day” attacks using a vulnerability in Microsoft Office 2004 for Mac as well as Microsoft Office 2000, Microsoft Office XP, and Microsoft Office 2003. Specifically, the attack exploits a flaw Excel spreadsheet component of the business software suite and is rated as "extremely critical" by security firm Secunia, but Microsoft on Friday said that users are vulnerable if they open a any malicious Office file, indicating it may affect other components as well. "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," the company said in a Microsoft Security Advisory posted to its website. Ironically, the warning comes days after Microsoft chairman Bill Gates attacked Mac security.
Security firm Secunia noted that the vulnerability is caused due to an unspecified error when handling strings and can be exploited to cause a memory corruption and that warned that successful exploitation allows execution of arbitary code, resulted in a compromised user system.
"As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability," Microsoft said in its security advisory.
The company said it would provide free tech support to customers who believe they are affected by the zero-day attacks, noting that there is no charge for support calls that are associated with security updates. A zero-day attack is one that exposes software bugs before they have been patched.
Although the world's largest software company said it is developing a security update for Office that addresses this vulnerability, it provided no time frame and could only tell users not to open files from untrusted sources.