US-CERT Warns of Unpatched Excel Flaw

Microsoft Excel users beware.

According to US-CERT, an unpatched vulnerability may well put you and your precious spreadsheet data at risk.

The zero day vulnerability affects Microsoft Excel 2003, Microsoft Excel XP (2002) and Microsoft Excel for Mac products.

Using a maliciously designed Excel file, an attacker could potentially gain control of a users PC. The file could be included as an e-mail attachment, via a Web site download or even via other Microsoft Office documents in which the Excel file may be embedded.

Security firm Secunia has given the vulnerability its highest rating of ‘Extremely “Critical.”

Symantec explained in its advisory on the vulnerability that the exploit involves the use of a Trojan Horse as the attack vector for the flaw.

“Trojan.Mdropper.J is a Trojan horse that drops Downloader.Booli.A on the compromised computer,” Symantec’s advisory said. “It exploits an undocumented vulnerability in Microsoft Excel.”

Mike Reavey of Microsoft’s Security Response Center Blog wrote that as of Saturday Microsoft had only received a report of a single customer being impacted.

Microsoft advised Excel users to be cautious when opening attachments that come from either known or unknown sources.

As of 11 AM ET today, a formal workaround for the flaw has not yet been made available by Microsoft.

“The MSRC, together with the SWI team, have identified some workarounds that help stop the attack,” Reavey blogged on Saturday. “However we’re concerned that they might have an impact to the usability of Excel. Based on some of the customer feedback regarding the recent Word workarounds, we want to take the extra time to fully vet our guidance.”

Microsoft also recently patched its Word application as part of the June patch release cycle.