A bug in Excel will allow an attacker to “jimmy a PC sufficiently to snatch control from the rightful owner,” according to Computerworld. Microsoft has published a security advisory as of Tuesday evening. This affects Office Excel 2000, 2002, 2003 SP2, Excel Viewer 2003, and Excel 2004 for Mac. It is not believed to affect Office Excel 2003 SP3 or 2007.
In lieu of a patch — which Microsoft did not promise it would produce — the company recommended that Office 2003 users run suspect Excel files through MOICE (Microsoft Office Isolated Conversion Environment), a free conversion tool released last year that converts Office 2003 format documents into the more secure Office 2007 formats to strip out possible exploit code. Alternately, it told administrators they could block all Office 2003 and earlier formats except those in "trusted locations" by using File Block, a last-ditch defense that requires editing the Windows registry or modifying Group Policy settings.
The last time that Microsoft patched any edition of Excel was in August 2007, when it issued MS07-044, an update that fixed a similar document format flaw in Excel 2000, Excel 2002, Excel 2003 and Excel 2004 for Mac.
Like many end users, I am directly affected by this. While I have tools in place that are supposed to protect me, I get concerned. I had planned to wait to upgrade my existing Office 2004 for Mac, but now I’m not sure that waiting is a good idea.
How do you protect your computer from being attacked by malicious code? Would you consider using File Block?
Microsoft warns of new Excel vulnerability (NetworkWorld)