Microsoft Confesses of Major Excel Vulnerability, Advises.

By Angsuman Chakraborty, Gaea News Network
Wednesday, February 25, 2009

its-a-trap-catMicrosoft confesses again. Though there is nothing to be ashamed of MS. You have done it before more than times one can count. This time it is about a security leak in a MS Excel. Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. In english, it means, an attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. Scared? I am sure you are not if you have been using Microsoft for years. Its just too common.

This vulnerability affects both Excel 2004 and 2008, as well as a number of Windows versions of the program. For now, the safest action to take is to not open Excel documents from unknown sources.

Microsoft warns us of other migrating factors:

  • In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s site.
  • The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

for details, visit Microsoft security advisory

will not be displayed