February 24, 2009, 9:04 AM — Microsoft's Excel spreadsheet program has a 0-day vulnerability that attackers are exploiting on the Internet.
A 0-day vulnerability is one that does not have a patch and is actively being used to attack computers when it is publicly revealed. Microsoft said Tuesday that it plans to patch the issue, but did not say when. The company's next set of security patches are set to be released March 9.
"At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability," wrote Microsoft Spokesman Bill Sisk in a blog posting. "We are developing a security update for Microsoft Office that addresses this vulnerability."
The vulnerability affects Microsoft Office 2007, Microsoft Office 2003, Microsoft Office 2002, and Microsoft Office 2000. It also affects the following Mac products: Microsoft Office 2008, Microsoft Office 2004, and the Mac's Open XML File Format Converter.
It was first disclosed Monday in an advisory posted on SecurityFocus, a Symantec-run Web site that tracks software flaws.
The program's vulnerability can be exploited if a user opens a maliciously-crafted Excel file. Then, a hacker could run unauthorized code. Symantec has detected that the exploit can leave a Trojan horse on the infected system, which it calls "Trojan.Mdropper.AC."
That Trojan, which works on PCs running the Vista and XP operating systems, is capable of downloading other malware to the computer.
Like another 0-day bug in Adobe's Reader and Acrobat software, this flaw is being exploited in dozens of targeted attacks, where victims are sent specially crafted messages tailored to make them open the malicious document, according to Vincent Weafer, vice president of Symantec Security Reponse. "We're seeing a lot of them come around different Asian government or industries or defense contractors," he said.
Hackers have increasingly sought to find vulnerabilities in applications as Microsoft has spent much effort into making its Vista OS more secure.
