14 DAY TRIAL // Microsoft has confirmed that the Office suite is once again under fire at the beginning of 2008. However, it seems that attacks only target the Excel component in a variety of Office versions. Concomitantly with revealing that a Critical, Zero-Day vulnerability is being actively exploited in the wild, the Redmond company provided assurance that users of the latest versions of the Office System are not at any risk from attack. Office Excel 2007, Excel 2008 for Mac, Office Excel 2003 Service Pack 3 as well as users that have installed Microsoft Office Isolated Conversion Environment (MOICE) are not affected by the vulnerability.
A member of the Microsoft Security Response Center revealed that: "a targeted attack exploiting a vulnerability in Microsoft Office Excel. Our investigation has shown that this vulnerability affects Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for Mac. Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007 and Microsoft Excel 2008 for Mac are not affected as they do not contain the vulnerable code."
Microsoft informed that the the new Excel Zero-Day is being exploited by targeted and limited attacks. A successful exploit of the security flaw will give an attacker the same level of privileges as the user, and the ability to perform remote code execution. But in order for an attack to lead to a full compromising of the operating system, the user has to execute a specially crafted, malicious Excel document. Attacks can come either in the form of malformed Excel files served as email attachments or from a malicious website.
"Microsoft is investigating the public reports and customer impact. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. At this time, we are aware only of targeted attacks that attempt to use this vulnerability. Additionally, as the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited," Microsoft explained.