Excel under zero-day attack, Microsoft warns

Spreadsheet-focused attack affects several versions of company's Office software, including one for Macs.

Dawn Kawamoto
Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Microsoft is warning of an Excel-focused zero-day attack that affects several versions of its Office software, including one for Macs.

In its security advisory issued Friday, Microsoft warns people of a "very limited" zero-day attack that takes advantage of vulnerabilities in the Excel spreadsheet program.

The "extremely critical" Excel vulnerabilities are found in Microsoft Office 2000, Office 2003 and Office XP, as well as in Office 2004 for computers running Apple's Mac OS, according to a separate advisory from security company Secunia.

Attackers are sending e-mails with malicious Excel attachments and are hosting Web sites that house Office files that attempt to take advantage of the security flaws, according to Microsoft. Once an attacker exploits the vulnerabilities, they can gain control of a person's system remotely.

Microsoft noted that the vulnerabilities may extend beyond Excel.

"While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," Microsoft said in its advisory.

Microsoft is telling people to avoid opening or saving Office files that come from distrusted or unknown sources, or files that are e-mailed unexpectedly from trusted sources.

Earlier this month, Microsoft issued patches for five security flaws in Excel as part of its monthly patch cycle. In June, Excel was hit with another zero-day attack.

A zero-day attack is one that exposes software bugs before they have been patched.