Microsoft's Excel 97 includes a function that allows users to run applications from the spreadsheet itself. If these files are of a malicious nature, Excel 97 spreadsheets could potentially pose a security threat to users, Microsoft said.
Apparently, the problem involves the Call function of Excel 97. This function allows external executable files to be run directly from the worksheet but does not warn the user when the application is about to be run. If the application has a virus in it or other problems, it could compromise the security of the user's system.
"In theory, a hacker could send a spreadsheet to people with Excel on their machine and that spreadsheet could cause malicious code to run," according to a Microsoft statement. "A user could also encounter this problem by visiting a Web site that causes a spreadsheet to be opened or by opening a spreadsheet that could be attached to an email."
Microsoft has issued a security bulletin and yesterday posted a patch that disables the Call worksheet function. Microsoft is advising Excel 97 users who do not want to disable the function to "evaluate the degree of risk that it poses to their systems."
Microsoft has not received any reports of actual problems with the function, and calls the bug "theoretical" at this point. The flaw will be fixed in the next version of Excel, the company said.