Late on Friday, Microsoft issued a security advisory confirming the vulnerability. The flaw, which affects all versions of Microsoft Office 2000, Office XP, Office 2003, and Office 2004 for Mac OS X, is being actively exploited today with an Excel zero-day attack. An advisory by Secunia rates this vulnerability as "extremely critical."
Microsoft warned that Excel is being actively exploited but only in "very limited" attacks. The company also warned that "other Office applications are potentially vulnerable."
This flaw marks the fifth security issue for Microsoft Office since December 2006, where no patch is yet available. Most of these flaws have seen targeted "zero-day" exploit attacks in the wild, albeit in limited numbers.
Other flaws in the popular Office suite are also being actively exploited today in very limited, targeted attacks and have seen at least one Trojan horse (with very low infection rates, but a demonstration video from Symantec is available). Malicious documents exploiting the latest flaw and prior flaws may be received by users through e-mail or other means.
All Office users are cautioned against opening Microsoft Office documents until patches become available. Office 2007, released at the end of January 2007, is not affected by this latest flaw.
Prudent users may wish to use the free Open Office suite to open their Microsoft Office documents until Microsoft issues patches.
Posted by: Kelly Martin