Microsoft announced on Tuesday that the company is working on fixing a flaw in its Excel spreadsheet program after information-stealing Trojan horse programs targeted the vulnerability.
The attacks — first noticed by antivirus firms on Monday — allow remote exploitation of a computer, if a vulnerable version of Excel is used to open a maliciously-created file. In its advisory, Microsoft said exploitation of the flaw allows an attacking program to take control of a computer with the privileges of the user that opened the file.
"At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability," Bill Sisk, senior program manager for Microsoft's Security Response Center (MSRC), said in a statement posted on the MSRC blog. "We are developing a security update for Microsoft Office that addresses this vulnerability."
Microsoft Office applications have become regular targets of attacks by online criminals seeking to steal data from corporate executives using Trojan horses. Starting in 2006, the number of vulnerabilities found in Office programs jumped more than six-fold, while malicious programs that trick users into running them — known as trojans — grew to become the most popular type of attack.
The latest vulnerability affects Microsoft Office Excel 2000, 2002, 2003, and 2007 as well as Excel Viewer and Microsoft Excel for Mac 2004 and 2008, according to the company's advisory. The attacks currently target Excel 2007, but could work on earlier versions of the program, according to Symantec, the owner of SecurityFocus.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos