MS Office Zero-Day Under Attack

paulBarbs writes "Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."

How old are you?

[HomelessInLaJolla]

Dear Exploit,

How old are you? How long have you been available in the wild? How long did your brother exist in SP1 before you came along in SP2? Do you have a cousin which works in Win98/SE? How long have corporate managers been using you to spy on their employees?

Signed,

Secret Admirer

what?

[macadamia_harold]

MS Office Zero-Day Under Attack

*rereads headline* what?

I open Excel files 1 day after I receive them

[product+byproduct]

to protect myself against 0-day attacks.

Does not affect Office 2007

[ThinkFr33ly]

The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.

This is further supported by other software they have released that went throught their "secure development lifecycle" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.

Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.

Um... That's why standards exist

[Colin+Smith]

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients. That simply means you need standardised file formats, you don't need the same software.

Re:Glad I switched

[mccalli]

I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice

Do you send links to any of these OpenOffice vulnerabilities as well?

Cheers,
Ian

Re:Do we know this for sure?

[DelawareBoy]

If you follow that logic, anything not open source is open to that vulnerability, Microsoft or not...

However, if you actually try the code which does impact Office 2003 and earlier additions, it does NOT work. Makes me glad I got my free copy of Office 2007.

It's not funny, why laugh?

[suv4x4]

I fail to see why posts talking about vulnerabilities in widely used software is tagged "haha". Is it really so funny?

The zombies that will result from those attacks will send spam even to your tricked out Linux PC. You're laughing at your own expense. Have fun.

Re:because it's not that easy

[zcat_NZ]

If only there were a single, well defined and completely open document format that could be used by anyone, with any office suite. That would be just great.

Re: eComStation and OpenOffice.org

[Planesdragon]

I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.

Hi. I'm a PC user, with an HP laptop, and Office 2007. Not too long ago I had Vista Beta on this thing. And you know what? I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.

Part of me wishes they'd try -- it's amazing how good the upgrade from "punative damages" would be.

The Irony

[Tom]

Hi Bill. Didn't you just brag about windos security?

I dare anybody to do that once a month on the Windows machine. February: check