Microsoft: Attackers Target Unpatched Excel Flaw

Microsoft Corp. is warning computer users that attackers are now exploiting a previously unknown security hole in the company's Excel spreadsheet software to break into vulnerable systems.

The vulnerability, which appears to be present in all supported versions of Microsoft Excel and Microsoft Office (including Office 2004 and Office 2008 for Mac), could be exploited merely by convincing a user to open a booby-trapped Excel file hosted on a hacked or malicious Web site, or sent as an attachment in an e-mail message.

Microsoft reports that it is "aware only of limited and targeted attacks that attempt to use this vulnerability," and that it is working on shipping a fix for the flaw. Symantec researchers report on the company's blog more or less supporting Microsoft's claim that this flaw is not yet widely being exploited.

But that should not deter readers from following this tried-and-true advice: If you didn't ask for it, be very cautious about opening e-mail attachments. If you're not sure whether someone you know meant to send you an attachment, reply back and check with the sender before deciding whether to download and open it.

Microsoft also released a non-security update further disable the "Autorun" feature in Windows. This feature, on by default in Windows, is what's responsible for displaying the contents of a removable drive -- such as a USB stick or CD-Rom -- when users insert the devices into a Windows PC.

Malicious software writers have long abused this feature of Windows to spread their creations. More recently, this method of spreading made headlines with the emergence of the Conficker worm, which has spread to millions of PCs around the globe - in part due to a security hole Microsoft fixed late last year, but also by infecting removable media and spreading to new systems and networks via the Autorun feature.

Shortly after Conficker became a global pandemic, experts and the U.S. Computer Emergency Response Team and others pointed out that Microsoft's advice on how to disable Autorun in Windows wasn't quite complete.

The supplemental advice on how to do that involves editing the Windows registry -- by most accounts not a place for the computer novice to be mucking around deleting or editing entries. So, the fix Microsoft is releasing should make completely disabling Autorun in Windows as simple as downloading and installing the patch, or grabbing it via Microsoft Update, right?

Nope. The Autorun fix released this week merely changes things so that Windows actually honors whatever registry settings you may have changed for Autorun. According to Microsoft, in order to fully disable Autorun on Windows, users need to have installed the appropriate update from a list of patches Microsoft shipped late last year *and* edit the Windows registry, according to the rather labyrinthine instructions here.

Clear as mud? I thought so too. Perhaps that's why Microsoft issued this as "a security advisory about a non-security update."