A patch is in the works

Feb 25, 2009 09:06 GMT  ·  By

Microsoft has officially confirmed attacks targeting a Critical 0-day vulnerability affecting various releases of Office Excel. According to the Redmond company the vulnerability is actively being exploited in the wild, and a patch is in the works, although no security update is available as of yet to resolve the flaw. The Microsoft Excel Invalid Object vulnerability is rated as Critical because it can allow an attacker to perform Remote Code Execution on an affected system in the eventuality of a successful attack. Attacks against the security flaw generated by a Boundary Condition Error have initially been reported by security company Symantec.

“A vulnerability in Microsoft Office Excel that could allow for remote code execution if a user opens a specially crafted Excel file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. We are developing a security update for Microsoft Office that addresses this vulnerability,” explained Bill Sisk, a communications manager at Microsoft's Security Response Center.

Sisk went on to reveal that “products affected are Microsoft Office 2000, Microsoft Office 2002, Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac.”

The zero-day label associated with the vulnerability implies that the previously unknown security flaw was not reported to Microsoft, and that, as such, the company does not have a patch available to resolve the threat. In fact, the software giant only became aware of the issue after attacks were detected in the wild. A security update is in the making at this point in time, with Microsoft having the possibility to release an out-of-band security bulletin, or to resolve the vulnerability in accordance with its monthly patch cycle in early March, 2009.

“Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources. The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. To install MOICE, you must have Office 2003 or 2007 Office system installed,” Microsoft informed.

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats is available for download here.