Microsoft Confirms Excel Zero-Day Attack Under Way

Microsoft June 15 confirmed that a new, undocumented flaw in its widely used Excel spreadsheet program was being used in an attack against an unnamed target.

The company’s warning comes less than a month after a code-execution hole in Microsoft Word was exploited in what is described as a “super, super targeted attack” against business interests overseas.

The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers.

In an entry posted to the MSRC (Microsoft Security Response Center) blog, Microsoft Operations Manager Mike Reavey said the company is investigating “a single report from a customer being impacted” by the latest attack.

“Here’s what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker,” Reavey said.

“Remember remember to be very careful opening unsolicited attachments from both known and unknown sources,” he added.

Microsoft has activated its security response process, which means a formal security advisory will be issued within 24 hours to suggest mitigation guidance and possible pre-patch workarounds.

“We’ve got the Office team engaged of course, and they are hard at work investigating the vulnerability,” Reavey said.

According to security alerts aggregator Secunia, the Excel flaw has been confirmed on a fully updated Windows XP SP (Service Pack) 2 system with Microsoft Excel 2003 SP2.

Anti-virus vendor Symantec said Windows 95, Windows 98, Windows Me, Windows NT and Windows 2000 computers are also at risk.

Symantec was the first to raise a red flag about the attack, which includes the use of a Trojan horse program called Trojan.Mdropper.J.

Read the full story on eWEEK.com: Microsoft Confirms Excel Zero-Day Attack Under Way