A Microsoft advisory Tuesday indicated that the security risk does not appear to impact the latest Excel releases.
Microsoft on Tuesday posted a security advisory warning of a vulnerability in several versions of Microsoft Office Excel that affects both Windows and Mac OS users.
The affected versions include Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac.
Microsoft said that Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac, and Microsoft Office Excel 2003 Service Pack 3 do not appear to be vulnerable.
"At this time, Microsoft is aware of specific targeted attacks that attempt to use this vulnerability," said Tim Rains, security response communications lead for Microsoft, in an e-mail. "Microsoft is aggressively investigating the public reports and customer impact."
Because the flaw is believed not to be widely known, Microsoft considers the risk to be limited.
The attack relies on a maliciously crafted Excel file that contains malformed header information. Attempting to open the file, either through a Web browser or as an e-mail attachment, can corrupt system memory, which could give an attacker the opportunity to execute remote code on the victim's system or to obtain elevated user privileges.
"In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Excel file that is used to attempt to exploit this vulnerability," Microsoft said in its advisory. "In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's site."
Both Microsoft and US-CERT, part of the national cyber security division at the Department of Homeland Security, recommend that Microsoft Office users not open unexpected e-mail messages with attachments or messages from unfamiliar sources.
In a blog post, Microsoft said it is working on a fix that will be released either as part of its regular patch schedule or in an out-of-band release, depending on the impact of the vulnerability.
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.