Network News

X My Profile
View More Activity

Targeted Attacks Use Unpatched Excel Flaw

Microsoft said Tuesday that it has seen evidence that criminals are breaking into Windows systems through a previously unknown security hole in its Excel software.

Tim Rains, the security response communications lead for Microsoft, said in an e-mailed statement that "Microsoft is aware of specific targeted attacks that attempt to use this vulnerability."

Targeted attacks that leverage Microsoft Office security holes typically arrive in an e-mail that address the recipient by name and state some urgent reason that the recipient must open the attached file. Obviously, you should always be extremely cautious about opening e-mail attachments, even if they appear to have been sent by an entity or person you know or trust.

According to Microsoft's security advisory, this vulnerability affects Microsoft Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. People who are using Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac or have installed Microsoft Office Excel 2003 Service Pack 3 are not affected.

By Brian Krebs  |  January 16, 2008; 9:40 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Scareware Program Targets Mac Users
Next: Wishing an (Un)Happy Birthday to the Storm Worm

Comments

"Microsoft Office Excel Viewer 2003"

This is pretty scarey. The person it hits has not bought anything from Microsoft. Does the Viewer also phone home? Does the Viewer have the same "We own your computer" EULA as Office?

Posted by: GTexas | January 16, 2008 3:47 PM | Report abuse

I open attached documents using the office programs from OpenOffice.org. Is OpenOffice.org Calc immune from this attack?

Posted by: dumpster.penguin | January 16, 2008 6:04 PM | Report abuse

If you have Excel 2003, update your MS Office 2003 installation to service pack 3. The vulnerability doesn't exist in service pack 3.

If you're sticking with an older version, don't open Excel attachments while running as an administrator.

If you're still running as an administator on your home machine (the default in Windows XP), now's your chance to create a limited user account for daily use.

A limited user account is practically guaranteed to rescue you from disaster one of these days.

Posted by: Ken L | January 17, 2008 3:39 AM | Report abuse

I'd like to expand on dumpster.penguin's question and ask: is there a reference anywhere that compares OpenOffice 2.3 security to that of Microsoft Office 2007, 2003, or 2000? I have a number of reasons, both fiscal and paranoiac, for trying to diversify away from a Windows monoculture, and would settle for for reassurance that OpenOffice is, at least, no more vulnerable than Microsoft Office. Googling this question has not readily yielded anything quite on this topic. Any help?

Posted by: occdoc17 | January 17, 2008 8:41 AM | Report abuse

hey people think carefully on running back to old corel ventura 8.0 sp2

Posted by: wpklaus2007 | January 17, 2008 11:55 AM | Report abuse

Since it's using either bugs in Excel (which are extremely unlikely to be identical to bugs in OOo), and since OOo uses Java for its macros (Excel uses VBScript, I think...or VBA...something based on VB), I would be really surprised if OOo was also vulnerable.

Posted by: Mackenzie | January 17, 2008 1:53 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company