Microsoft warns of Excel zero-day flaw

By Bill Brenner, Senior News Writer 16 Jan 2008 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers are actively exploiting a zero-day flaw in Microsoft Excel to infect and hijack targeted machines, the software giant warned in an advisory yesterday. The only defense at this point is to avoid opening Excel files from untrusted sources.

Microsoft Excel is used in many banking and financial firms and is the most popular spreadsheet application used by businesses for many bookkeeping tasks.

Microsoft Security Response Center spokesman Tim Rains said in an email Tuesday that the vulnerability affects Microsoft Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. Customers who are using Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac or have installed Microsoft Office Excel 2003 Service Pack 3 are not affected, he said.

Microsoft Security Advisory (947563) acknowledges "limited attacks" against the vulnerability. Microsoft said that once its investigation is completed it may release a patch either through its monthly security update or as an out-of-cycle release.

"Microsoft continues to encourage customers to follow the guidance of enabling a firewall, applying all software updates and installing antivirus and antispyware software," the software giant said in the advisory.

In addition to not opening untrusted Excel files, Microsoft recommended Excel 2003 customers consider using the Microsoft Office Isolated Conversion Environment (MOICE) or Microsoft Office File Block policy. MOICE is designed to convert Office 2003 files to the new Office 2007 Open XML format with the goal of squeezing malicious exploits from the file. It creates a "sandbox" with a restricted tolken where documents are scrubbed for malware. Once the malware is ejected, the file can be opened as it normally is in Office 2003.

Tags: SaaS and Web application security,  Financial database and server security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SaaS and Web application security Why financials must implement Web application security best practices The PCI compliance case for source code review Security questions to ask SaaS vendors when outsourcing services SSLstrip hacking tool bypasses SSL to trick users, steal passwords Study of banking malware analyzes underground economy Gartner advises banks to shore up online channels Security on the street with SearchFinancialSecurity.com: Mobile banking Verizon security chief says protect your data first The security risks of Google Notebook Developing a patch management policy for third-party applications Financial database and server security Download presentations from Financial Information Security Decisions 2009 Data masking tool helps protect student loan data Wells Fargo deploys Voltage for secure email Case study: How outsourcing services enable PCI DSS compliance Secure options for remote SQL Server administration 15 steps to hardening Windows Server 2003 Ten hacker tricks to exploit SQL Server systems Most malware at home on U.S. servers How to protect and harden a database server

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary NASDAQ  (SearchFinancialSecurity.com) password cracker  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary