The bug in Excel 2000 could yield control of the target computer, security analysts warned.
The vulnerability lets an attacker create an Excel file (.xls) that, upon being opened, can execute code placed in a dynamic link library (DLL). DLLs are files that application programmers use to share code among various Windows applications.
The exploit, demonstrated by Bulgarian bug hunter Georgi Guninski, requires two steps. First, the malicious code must be planted in the DLL or within reach via a file-sharing network. After that, the exploit's victim must open the booby-trapped Excel file.
Security experts said that existing security holes facilitate the first step.
"There are several previous security vulnerabilities that allow a malicious user to download a file to a victim's computer," SecurityFocus.com analyst Elias Levy warned in a security alert. "Those attacks may be combined with this one to breach a system."
Levy added that the DLL with hostile code could be accessed over the Internet as long as no firewall prevented the transfer.
Microsoft's Internet applications usually warn people who download potentially hostile code. Recent security upgrades to the company's Outlook productivity software suite and Outlook Express email shored up those products against security abuses, stopping some scripts from running automatically and applying "security zone" restrictions on incoming Outlook email.
Scripts are chunks of code that take actions on a computer automatically. Microsoft's Visual Basic Scripts (VBScripts) were at the heart of the "I Love You" bug and knockoffs that crippled email systems and caused billions of dollars' worth of damage in May.
But Guninski's Excel exploit bypasses those kinds of warnings and restrictions.
The exploit "makes no use of Visual Basic Scripting, and therefore the user will not get any warning about opening a potentially dangerous file," Levy warned. "It should also be noted that many Web browsers, including Internet Explorer, default to opening links to MS Office files without asking the user whether they want to save the file or open it."
A Microsoft representative said the company is working on a patch.
The Excel problem under investigation today is the second that Guninski has demonstrated with the product this summer. Last month, Guninski showed that software shipped with Excel and PowerPoint--Microsoft's slide presentation software--let a Web page save files anywhere on the computer, including in the start-up directory. That scenario could let a hostile file run as a local file with security clearance to do anything.