Microsoft Warns of Excel Flaw!
Reportedly, Microsoft is warning that cybercriminals are exploiting a new flaw in Excel that affects several versions of its Office software, including one for Macs.
In its security advisory issued last week, Microsoft warns people of a very limited zero-day attack that takes advantage of vulnerabilities in the Excel spreadsheet program. A zero-day attack is one that exposes software bugs before they have been patched.
This latest flaw affects Microsoft Office 2000, Office 2003, Office XP, and Office 2004 for computers running Apple's Mac OS.
According to reports, the vulnerability is caused due to an unspecified error when handling strings, and can be exploited to cause a memory corruption. And that successful exploitation allows execution of arbitrary code, resulting in a compromised user system.
The company further said that attackers are sending e-mails with malicious Excel attachments, and are hosting Web sites that have Office files, which attempt to take advantage of the security flaws. And once an attacker exploits the vulnerabilities, he/she can gain control of a user's system remotely.
In its security advisory, Microsoft explained that as a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. It has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.
The company also pointed out that the vulnerabilities might extend beyond Excel. It said that while they are currently only aware that Excel is the current attack vector, other Microsoft Office applications are potentially vulnerable.
It is learnt that Microsoft would provide free tech support to customers who believe they are affected by the zero-day attacks, and there is no charge for support calls that are associated with security updates.
Meanwhile, Microsoft is asking users to avoid opening or saving Office files that come from distrusted or unknown sources, or files that are e-mailed unexpectedly from trusted sources. And the company is expected to patch this flaw as soon as its next set of security updates, which is due next Tuesday.
In its security advisory issued last week, Microsoft warns people of a very limited zero-day attack that takes advantage of vulnerabilities in the Excel spreadsheet program. A zero-day attack is one that exposes software bugs before they have been patched.
This latest flaw affects Microsoft Office 2000, Office 2003, Office XP, and Office 2004 for computers running Apple's Mac OS.
According to reports, the vulnerability is caused due to an unspecified error when handling strings, and can be exploited to cause a memory corruption. And that successful exploitation allows execution of arbitrary code, resulting in a compromised user system.
The company further said that attackers are sending e-mails with malicious Excel attachments, and are hosting Web sites that have Office files, which attempt to take advantage of the security flaws. And once an attacker exploits the vulnerabilities, he/she can gain control of a user's system remotely.
In its security advisory, Microsoft explained that as a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. It has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.
The company also pointed out that the vulnerabilities might extend beyond Excel. It said that while they are currently only aware that Excel is the current attack vector, other Microsoft Office applications are potentially vulnerable.
It is learnt that Microsoft would provide free tech support to customers who believe they are affected by the zero-day attacks, and there is no charge for support calls that are associated with security updates.
Meanwhile, Microsoft is asking users to avoid opening or saving Office files that come from distrusted or unknown sources, or files that are e-mailed unexpectedly from trusted sources. And the company is expected to patch this flaw as soon as its next set of security updates, which is due next Tuesday.
|