Attackers targeting unpatched vulnerability in Excel 2007
Microsoft's Excel spreadsheet program has a 0-day vulnerability that attackers are exploiting on the Internet.
A 0-day vulnerability is one that does not have a patch and is actively being used to attack computers when it is publicly revealed. Microsoft said Tuesday that it plans to patch the issue, but did not say when. The company's next set of security patches are set to be released March 9.
"At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability," wrote Microsoft Spokesman Bill Sisk in a blog posting. "We are developing a security update for Microsoft Office that addresses this vulnerability."
The vulnerability affects Microsoft Office 2007, Microsoft Office 2003, Microsoft Office 2002, and Microsoft Office 2000. It also affects the following Mac products: Microsoft Office 2008, Microsoft Office 2004, and the Mac's Open XML File Format Converter.
It was first disclosed Monday in an advisory posted on SecurityFocus, a Symantec-run Web site that tracks software flaws.
The program's vulnerability can be exploited if a user opens a maliciously-crafted Excel file. Then, a hacker could run unauthorized code. Symantec has detected that the exploit can leave a Trojan horse on the infected system, which it calls "Trojan.Mdropper.AC."
That Trojan, which works on PCs running the Vista and XP operating systems, is capable of downloading other malware to the computer.
Like another 0-day bug in Adobe's Reader and Acrobat software, this flaw is being exploited in dozens of targeted attacks, where victims are sent specially crafted messages tailored to make them open the malicious document, according to Vincent Weafer, vice president of Symantec Security Reponse. "We're seeing a lot of them come around different Asian government or industries or defense contractors," he said.
Hackers have increasingly sought to find vulnerabilities in applications as Microsoft has spent much effort into making its Vista OS more secure.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.














Protect your PC.
Are you searching for antispyware at an affordable price? Then look no further. I have the perfect solution for you. I have found a scan that works as well as Norton and other scans that are more expensive. If you are interested in learning more then you can go to http://www.Search-and-destroy.com and see for yourself what the antispyware solution from Search-and-destroy has to offer. I’m sure that you will be very happy with Search-and-destroy Antispyware because I was and I have tried many different types of scans in the past. It’s a wonderful solution to that will help protect your PC.