Alert Number:  011608-03
Alert Date:  01/16/08
Alert Title:  *UNPATCHED* vulnerability in Microsoft Excel
Update-to:  None.
OS/Platform/Application:
Microsoft Office Excel 2007
Microsoft Office Excel 2003
Microsoft Office Excel Viewer 2003
Microsoft Office Excel 2002
Microsoft Office Excel 2000
Microsoft Excel 2004 for Mac
Microsoft Excel 2008 for Mac
Category:  ALERT
Severity:  HIGH
Attention:  System Administrators, Desktop Support Personnel, Excel users on Windows and Mac systems.

Summary:  On January 15 2008 Microsoft released Security Advisory 947563.  Advisory 947563 details a newly-discovered vulnerability in its popular Excel suite of products that if exploited could result in takeover of a vulnerable system.  The most likely mechanism of exploit appears to be the opening of a maliciously-crafted Excel document, for example as an email attachment or file hosted on a website.  Various Internet security-related agencies are also reporting this vulnerability and are rating it as "critical" or "extremely critical".  At the time of this writing (11:30 AM 1/16/08) no patch has been made available for the vendor to address this vulnerability.

Recommended Actions:  Windows and Mac system administrators and Excel users are encouraged to read the security advisories (safe links provided below) for more details.  Users should use extreme caution when opening Excel documents from untrusted sources or consider stopping the practice of opening such documents altogether until a patch has been provided from Microsoft.

Readers are encouraged to share this alert with family, friends, and associates who may use Excel on their home PCs and Macs.

ITS Actions:  N/A

Resources:

Microsoft Security Advisory 947563:
http://www.microsoft.com/technet/security/advisory/947563.mspx

FrSirt Advisory:
http://www.frsirt.com/english/advisories/2008/0146

Secunia Advisory:
http://secunia.com/advisories/28506/

SANS Advisory:
http://isc.sans.org/diary.html?storyid=3854