Seems like we see a new one of these every day. The unfortunate fact is that you can’t really trust any attachment you get in your email these days.
Microsoft has released security advisory 932553.
It allows an attacker to execute code on your PC if they can get you to open a specially crafted Excel file. It can be used to attack all Office products, so be aware that an embedded excel file in your word document can be a problem too.
Some info on the problem:
-The vulnerability cannot be exploited on Office 2007 or on Works 2004, 2005, or 2006.
-An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
-In a Web-based attack scenario, an attacker would have to host a Web site that contains a Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s site.
-The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
-Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.
No patch has been released yet. Until then Microsoft suggests this workaround:
Do not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Office file.
