A Microsoft Security Advisory note issued on January 15th revealed that Excel 2003 had been targeted by attacks on a previously unknown vulnerability.
The advisory provided few specific details, but explained that hackers would need to place a specially crafted Excel file on a Web site to launch an attack. Victims would be lured to the site by getting them to click a link in an e-mail or instant message.
The weak spot, which could allow hackers to run code on infected PCs, affects Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. Microsoft said that so far, users of Microsoft Office Excel 2007 and Excel 2008 for Mac, or those who had installed Microsoft Office Excel 2003 Service Pack 3 were not affected.
Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a specially crafted document that is attempting to exploit this vulnerability.
"As the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited," Microsoft said. Once it has investigated the wider impact of this new 'Zero day' (i.e. previously unreported) vulnerability, Microsoft would either provide a security update through its usual second Tuesday of the month release process, or issue an out-of-cycle security update if needed.