• On TV.com: THE GIRLS NEXT DOOR photos

February 5, 2007 7:20 AM PST

Excel under zero-day attack, Microsoft warns

By Dawn Kawamoto
Staff Writer, CNET News

  • Font size
  • Print
Related Stories

Microsoft reissues Excel security update

 January 18, 2007

Microsoft leaves Word zero-day holes unpatched

 January 9, 2007

Security from A to Z: Zero-day

 November 27, 2006

'Critical' patch for Office coming

 September 7, 2006

New Excel zero-day flaw used in attacks

 June 16, 2006
Microsoft is warning of an Excel-focused zero-day attack that affects several versions of its Office software, including one for Macs.

In its security advisory issued Friday, Microsoft warns people of a "very limited" zero-day attack that takes advantage of vulnerabilities in the Excel spreadsheet program.

The "extremely critical" Excel vulnerabilities are found in Microsoft Office 2000, Office 2003 and Office XP, as well as in Office 2004 for computers running Apple's Mac OS, according to a separate advisory from security company Secunia.

Attackers are sending e-mails with malicious Excel attachments and are hosting Web sites that house Office files that attempt to take advantage of the security flaws, according to Microsoft. Once an attacker exploits the vulnerabilities, they can gain control of a person's system remotely.

Microsoft noted that the vulnerabilities may extend beyond Excel.

"While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," Microsoft said in its advisory.

Microsoft is telling people to avoid opening or saving Office files that come from distrusted or unknown sources, or files that are e-mailed unexpectedly from trusted sources.

Earlier this month, Microsoft issued patches for five security flaws in Excel as part of its monthly patch cycle. In June, Excel was hit with another zero-day attack.

A zero-day attack is one that exposes software bugs before they have been patched.

See more CNET content tagged:
Microsoft Excel, Microsoft Office, vulnerability, attack, Apple Computer

Add a Comment (Log in or register) 16 comments
Confused -
by ArturoYee February 5, 2007 9:21 AM PST
I cannot run Office XP on Mac/OS X. How can that be?
Can only run Offices XP on Windows OS...
Reply to this comment
You can run it
by MacHeads February 5, 2007 10:18 AM PST
Using Parrallels or Fusion or Bootcamp . Parrallels will run the
environment in a virtual machine bootcamp will need you to boot
to xp but then again there is OpenOffice that runs perfectly on the
mac .
View reply
Deal of the day; and, a simple solution...
by Commander_Spock February 5, 2007 10:25 AM PST
... for you - Run OpenOffice on eComStation (formerly OS/2 Warp - Windows' better half-brother and the OS that banks and the "smart" Russians love) You get OpenOffice (with plenty of Lotus SmartSuite "code" inside) for "free" and you pay less than half-price the price of Windows for eComStation. Quite sure you do not need a rocket scientist to tell you what your savings will be. And just imagine - you do not get locked-in a proprietary office suite!
View reply
Office:mac 2004
by kelmon February 6, 2007 8:37 AM PST
Unless the article has been modified it seems pretty clear that the
Mac-aspect of it refers to a vulnerability within the version of Excel
distributed as part of the Office:mac 2004 package. While this is
disturbing news in that a virus writer can use Excel 2004 as a
backdoor into OS X it isn't particularly worrying since it continues
to rely on the user opening the malicious spreadsheet so active
participation is necessary.
Confused -
by ArturoYee February 5, 2007 9:21 AM PST
I cannot run Office XP on Mac/OS X. How can that be?
Can only run Offices XP on Windows OS...
Reply to this comment
You can run it
by MacHeads February 5, 2007 10:18 AM PST
Using Parrallels or Fusion or Bootcamp . Parrallels will run the
environment in a virtual machine bootcamp will need you to boot
to xp but then again there is OpenOffice that runs perfectly on the
mac .
View reply
Deal of the day; and, a simple solution...
by Commander_Spock February 5, 2007 10:25 AM PST
... for you - Run OpenOffice on eComStation (formerly OS/2 Warp - Windows' better half-brother and the OS that banks and the "smart" Russians love) You get OpenOffice (with plenty of Lotus SmartSuite "code" inside) for "free" and you pay less than half-price the price of Windows for eComStation. Quite sure you do not need a rocket scientist to tell you what your savings will be. And just imagine - you do not get locked-in a proprietary office suite!
View reply
Office:mac 2004
by kelmon February 6, 2007 8:37 AM PST
Unless the article has been modified it seems pretty clear that the
Mac-aspect of it refers to a vulnerability within the version of Excel
distributed as part of the Office:mac 2004 package. While this is
disturbing news in that a virus writer can use Excel 2004 as a
backdoor into OS X it isn't particularly worrying since it continues
to rely on the user opening the malicious spreadsheet so active
participation is necessary.
I See - only 2004 version for Macs
by ArturoYee February 5, 2007 9:24 AM PST
I see now ...
Reply to this comment
I See - only 2004 version for Macs
by ArturoYee February 5, 2007 9:24 AM PST
I see now ...
Reply to this comment
A New Microsoft Twist or what?
by wbenton February 6, 2007 6:15 AM PST
Microsoft usually denies other's claims of a zero-day flaw while they claim their engineers are checking up on it.

But this time around... Microsoft comes out with the information first?!?!?! (* BAFFLED *)

Microsoft still has 4 Zero-day Word flaws as of yet still in an unpatched state and now this Excel one... and brought up by Microsoft first!!!

Somebody has been aware of the flaw since they showed it to Microsoft (probably several months ago) and they probably pushed Microsoft to come out with this notice themselves...

Otherwise it's just not Microsoft-ish at all!

Likewise... even though they mention the zero-day flaw... where's the patch for it and/or when will it be released... along with the other 4 Word zero-day flaws?

No mention of them here either... now that's Microsoft-ish!!!

Walt
Reply to this comment
A New Microsoft Twist or what?
by wbenton February 6, 2007 6:15 AM PST
Microsoft usually denies other's claims of a zero-day flaw while they claim their engineers are checking up on it.

But this time around... Microsoft comes out with the information first?!?!?! (* BAFFLED *)

Microsoft still has 4 Zero-day Word flaws as of yet still in an unpatched state and now this Excel one... and brought up by Microsoft first!!!

Somebody has been aware of the flaw since they showed it to Microsoft (probably several months ago) and they probably pushed Microsoft to come out with this notice themselves...

Otherwise it's just not Microsoft-ish at all!

Likewise... even though they mention the zero-day flaw... where's the patch for it and/or when will it be released... along with the other 4 Word zero-day flaws?

No mention of them here either... now that's Microsoft-ish!!!

Walt
Reply to this comment
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (-2.98%) -0.57 18.54
Apple (-2.22%) -2.03 89.38
Dow Jones Industrials (-2.91%) -243.48 8,132.76
S&P 500 (-3.14%) -26.56 818.66
NASDAQ (-2.64%) -38.16 1,407.40
CNET TECH (-3.10%) -32.44 1,012.57
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET