Thirteen security updates and a cornucopia of exploit code was already a lot for Microsoft customers to digest in one week. Now the software giant is warning of a new zero-day flaw in Excel that attackers could exploit to launch malicious code.
Microsoft Security Response Center Program Manager Mike Reavey said in the center's that one customer has reportedly been affected by an attack using a new vulnerability in the spreadsheet program.
He said the Windows Live Safety Center has been updated to detect the flaw "for up-to-date removal of malicious software that attempts to exploit the vulnerability."
Danish vulnerability clearinghouse Secunia issued an advisory labeling the flaw "extremely critical." That's the firm's highest severity rating and is typically reserved for remotely exploitable vulnerabilities that can lead to system compromise.
"This vulnerability is a so-called zero-day and is already being actively exploited," Secunia said, adding that the flaw is caused due to an unknown error within the processing of specially crafted Excel documents. Secunia confirmed the security hole on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected, Secunia warned.
The Bethesda, Md.-based SANS Internet Storm Center (ISC) is recommending users mitigate the Excel threat by heeding the same advice it offered last month, when Microsoft Word was hit by zero-day exploits. At the time, ISC recommended users observe at least some of the following defenses:
"These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds" for the Excel flaw, the center said.
This article originally appeared on SearchSecurity.com.