14 DAY TRIAL // Microsoft Office vulnerabilities keep pouring in. The Redmond Company has now confirmed the existence of the fifth zero-day unpatched vulnerability affecting various Office suites since December 2006. Currently, Microsoft has yet to issue security patches addressing any of the five security holes in Office.
Security Program Manager Alexandra Huft, from the Microsoft Security Response Center, has delivered a few details concerning the new zero-day. "I wanted to let people know about a new issue that we've activated our Software Security Incident Response Process (SSIRP) for: we have some information we can share from the investigation so far and I wanted to share it with you. This involves an issue that is currently being exploited using Excel documents. However, the issue can affect all Office documents," informed Huft.
In Security Advisory (932553), Microsoft reveals that via the newly discovered vulnerability, an attacker could achieve remote code execution on a compromised machine. Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac are all affected by the Excel vulnerability. According to Microsoft, Office 2007 is safe.
Microsoft warned that it has detected limited and targeted the attack using the vulnerability in Excel as an attack vector, but additionally informed that other Office applications are also vulnerable.
A user has to first execute a malformed Office file in order to become infected. Microsoft's only workaround is a piece of advice for Office users: "do not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Office file."