Microsoft warned on Friday that the software giant has received a single report of a company targeted by an attack using a previously unknown flaw in Excel.
The warning comes the same week that Microsoft fixed a flaw in Word that had been used in targeted attacks that, at least on the face, appear similar. The software giant said its Office team is currently investigating the flaw and reiterated that customers should be cautious of attachments.
"In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker," Mike Reavey, operations manager for the Microsoft Security Response Center, said in a post to the MSRC blog, noting that Windows will warn user to be careful of opening attachments from e-mail. "So remember to be very careful opening unsolicited attachments from both known and unknown sources."
A year ago, the national computer emergency response teams in the United Kingdom, Canada and Australia all warned of targeted attacks hitting organizations in those countries. While the U.S. organization, US-CERT, did not issue an alert, antivirus companies acknowledged that low-volume e-mail attacks had targeted U.S. companies and government agencies. The attacks using Word and Excel flaws appear to continue the trends toward more focused attacks, while making the attacks much harder to detect because the exploited flaw had been previously unknown.
Microsoft urged customers that believe they have been compromised by an attack using the Excel flaw to go to the company's Windows Live Safety Center to detect and remove the threat.
Posted by: Robert Lemos