Microsoft Warns Of Zero-Day Excel Hack

Late Friday, Microsoft's Security Response Center (MSRC) confirmed that malformed Excel spreadsheets are being used to trigger an unspecified vulnerability in Office 2000, Office XP, Office 2003, and Office 2004 for Mac.

"We are aware of very limited, targeted attacks attempting to use the vulnerability reported," said Alexandra Huft, a security program manager with MSRC, on the group's blog. The company "will provide updates through the MSRC weblog or the advisory as new information develops."

In an associated security advisory, Microsoft said the zero-day vulnerability's danger could extend beyond malicious Excel files, however. "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," the advisory read. A patch is under development, Microsoft added.

"It's still too new to know whether this might actually impact other applications in Office," says Ken Dunham, director of VeriSign iDefense's rapid response team. "Part of the confusion in attacks like this is that the payload has to be examined to see if the vulnerability is the same [as an earlier one] or different, then the vulnerable component must be found. It's a somewhat lengthy process."

The Excel flaw is the fifth unpatched bug in Microsoft Office that's been confirmed since early December 2006. The four others -- three in December, one in January 2007 -- lurked in various versions of Microsoft Word. The run is similar to a multi-month run of Office vulnerabilities in mid-2006.

"Once hackers have [hold of] a file format with vulnerabilities, they focus on it," says Dunham in explaining why it's often the case that one bug leads to a second, a second to a third, and so on. "The same thing happened last year when they found a bug in the WMF [Windows Metafile] format. They started wondering what other image file formats had vulnerabilities."

Hackers, in fact, will systematically test a file format with "fuzzers," software tools that stress test applications with random input to look for crash conditions. VeriSign's iDefense researchers have spotted online test results of the Chinese hacking crews which launched targeted attacks in 2006 using malicious Office documents, Dunham said.

"When they find one hacker Easter egg [vulnerability], they naturally try to find more," says Dunham.

Users can protect themselves by not opening Office documents attached to e-mail messages or offered as downloads by Web sites, said Microsoft. Office 2007, the newest version of the Windows productivity suite, also is immune to the exploit.

The next regularly scheduled security updates from Microsoft will be issued Tuesday, Feb. 13. Microsoft hasn't said whether some, or all, of the unfixed Office flaws will be patched then.