Microsoft has issued a security advisory after a growing number of attacks using Excel files.
A zero-day flaw has been found in Microsoft Office 2000, Office XP, Office 2003, and Office 2004 for Mac.
The vulnerability could allow a specially crafted Excel package to carry malware that could give a hacker full control of an infected PC.
"In a web-based attack, an attacker would have to host a website that contains a Office file that is used to attempt to exploit this vulnerability," said the advisory.
"In addition, compromised sites, and sites that accept or host user-provided content, would need to contain specially crafted content that could exploit this vulnerability.
"An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to persuade them to visit the website, typically by getting them to click a link that takes them to the attacker's site."
The BackDoor-CWA Trojan installs itself on the registry of infected machines and periodically checks for information to be downloaded from Usaaservice.com.
While knowledge of a flaw in Excel has been confirmed, it is not known whether the flaw affects other Office products. Files from Office 2007 or Works 2004/2005/2006 are not affected.
Microsoft is urging users to be careful with unexpected emails containing Office documents, even if they appear to come from an address in the user's corporate network.
Microsoft warns of zero-day attacks
By Iain Thomson on Feb 6, 2007 8:41AM