Want CNET to notify you of price drops and the latest stories?

Attack exploits unpatched Excel security hole

Windows users are warned to avoid opening suspicious attachments as Microsoft races to get a fix out for security hole in Excel.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Attackers are attempting to exploit an unpatched security hole in Excel that could allow someone to take control of a compromised computer, Microsoft said in a security advisory on Tuesday.

The attack exploiting the Excel Unspecified Remote Code Execution Vulnerability requires a computer user to open an attachment sent via e-mail that has a maliciously crafted Excel document, according to the advisory.

Microsoft said it is working on a security fix to plug the hole and will release it after it has completed testing. In the meantime, Windows users are urged to avoid opening Office files from untrusted sources or that arrive unexpectedly.

Affected software includes Microsoft Office 2000, 2002, 2003, and 2007 and Microsoft Office 2004 and 2008 for Mac.

The exploit uses weak encryption in an attempt to evade detection, according to Symantec. Symantec

Symantec has discovered malicious files in the wild in Japan that attempt to exploit the vulnerability and has updated its antivirus software to detect the malicious spreadsheet files it has dubbed Trojan.Mdropper.AC, the company said in a blog posting on Tuesday.

The risk is low and there have been few infections, Symantec said in an advisory. It lists Windows Vista and XP as affected systems.

"It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format," Symantec wrote. "Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system--the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This helps to decrease suspicion when the affected spreadsheet is opened."

Microsoft also on Tuesday announced the availability of an update for Windows Autorun that allows people to selectively disable the Autorun functionality for drives on a system or network to provide more security.

The update addresses an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected. Disabling Autorun functionality can help prevent the execution of arbitrary code when a removable storage device is used.

The Autorun functionality has been blamed for malware that has infected USB thumb drives, leading to a temporary ban on their use at the U.S. Defense Department, and digital photo frames, among other storage types.