Security experts urge Excel users to apply the latest Microsoft patches, because malicious documents are making the rounds.
Matthew Broersma, Techworld
Security experts have warned that malicious Microsoft Excel documents are making the rounds via e-mail, exploiting an unpatched Excel vulnerability that has been known publicly since January.
The attacks come even as Microsoft has released several critical patches affecting every supported version of Office. The patches are believed to include a fix for the Excel bug.
Traveling by E-Mail
Security organization US-CERT issued a recent warning about a Trojan exploiting the Excel bug.
"This Trojan is circulating through email messages that contain attached Excel files," US-CERT said in an advisory. "Known file names for these attachments are OLYMPIC.XLS and SCHEDULE.XLS. These files may also contain Windows binary executables that can compromise an affected system."
Maarten Van Horenbeeck, handler with the SANS Institute's Internet Storm Center (ISC), confirmed the attacks and said SANS had been tracking several exploits over the last few days.
"It should be noted that the incidents we are aware of have been limited to a very specific targeted attack and were not widespread," Horenbeeck said in an advisory. "In total, we established approximately 21 reports of attacks using only 8 different files, from within the same two communities, so far."
Some of the sample Trojans connect back to a server to retrieve the IP address of the control server, Horenbeeck said.
Known Flaw
Microsoft first acknowledged the unpatched bug in January, in Security Advisory 947563.
The bug affects Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2002, Excel 2000, and Excel 2004 for Mac, Microsoft said. Successful attacks give the attacker the same rights as the local user.
This week Microsoft shipped four "critical" security fixes. The number of security bulletins Microsoft plans to issue is substantially below last month's 11 but the Office-only nature of the updates is unusual.
Of the patches, one appears to be for an Excel file format flaw and a second also relates to the spreadsheet application, while the third deals with a bug in Office Web Components -- controls that let users publish spreadsheets, charts and databases to the web, then view that content once it's published.