Microsoft is warning of an Excel-focused zero-day attack that affects several versions of its Office software, including one for Macs.

In its security advisory issued Friday, Microsoft warns people of a "very limited" zero-day attack that takes advantage of vulnerabilities in the Excel spreadsheet program.

The "extremely critical" Excel vulnerabilities are found in Microsoft Office 2000, Office 2003 and Office XP, as well as in Office 2004 for computers running Apple's Mac OS, according to a separate advisory from security company Secunia.

Attackers are sending e-mails with malicious Excel attachments and are hosting Web sites that house Office files that attempt to take advantage of the security flaws, according to Microsoft. Once an attacker exploits the vulnerabilities, they can gain control of a person's system remotely.
Microsoft noted that the vulnerabilities may extend beyond Excel.
"While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," Microsoft said in its advisory.

Microsoft is telling people to avoid opening or saving Office files that come from distrusted or unknown sources, or files that are e-mailed unexpectedly from trusted sources.

Earlier this month, Microsoft issued patches for five security flaws in Excel as part of its monthly patch cycle. In June, Excel was hit with another zero-day attack.


A zero-day attack is a high-alert label. It's used to refer to the fact a bug in a piece of software has been unearthed and is at risk of being exploited by hackers before a patch to fix it is available.