Microsoft warned customers late Tuesday that a previously unknown vulnerability in its Excel spreadsheet software for Windows and Mac OS X is currently be exploited by a targeted attack.

The flaw affects older versions of Excel, including Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac, the software giant stated in an advisory. For the attack to be successful, the victim would have to open a specially-crafted Excel file. A successful compromise would give the attacker the same privileges on the system as the user.

"We currently have teams working to develop an update of appropriate quality for release in our regularly scheduled bulletin process or as an out-of-band update, depending on customer impact," Bill Sisk, a member of the security-response communications team, said on the Microsoft Security Response Center blog. "While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our ... partners to help protect customers."

Flaws in Microsoft's Office productivity applications have become standard weapons for fraudsters conducting targeted attacks aimed at high-level managers and executives. While only a handful of high-impact flaws were found in Excel between 2002 and 2006, at least 13 were discovered in 2007, according to data from the National Vulnerability Database. Vulnerabilities in Microsoft Office have been used in industrial espionage and in attacks on government systems.

Users of Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, or Microsoft Excel 2008 for Mac are not affected by the vulnerability, Microsoft said in its advisory. In addition, customers who have installed Microsoft's Office Isolated Conversion Environment (MOICE) are immune to the effects of the vulnerability, the software giant stated.

If you have tips or insights on this topic, please contact SecurityFocus.