The affected versions include Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac.
Microsoft said that Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac, and Microsoft Office Excel 2003 Service Pack 3 do not appear to be vulnerable.
"At this time, Microsoft is aware of specific targeted attacks that attempt to use this vulnerability," said Tim Rains, security response communications lead for Microsoft, in an e-mail. "Microsoft is aggressively investigating the public reports and customer impact."
Because the flaw is believed not to be widely known, Microsoft considers the risk to be limited.
The attack relies on a maliciously crafted Excel file that contains malformed header information. Attempting to open the file, either through a Web browser or as an e-mail attachment, can corrupt system memory, which could give an attacker the opportunity to execute remote code on the victim's system or to obtain elevated user privileges.
"In a Web-based attack scenario, an attacker would have to host a Web site that contains a specially crafted Excel file that is used to attempt to exploit this vulnerability," Microsoft said in its advisory. "In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's site."
Both Microsoft and US-CERT, part of the national cyber security division at the Department of Homeland Security, recommend that Microsoft Office users not open unexpected e-mail messages with attachments or messages from unfamiliar sources.
In a blog post, Microsoft said it is working on a fix that will be released either as part of its regular patch schedule or in an out-of-band release, depending on the impact of the vulnerability.