A Microsoft security advisory has been published warning of a newly discovered vulnerability that could allow remote code to be installed in PCs, but has witheld details of the flaw. John Stokdyk reports.

The company usually deals with this sort of thing in its second Tuesday of the month security bulletin. But the latest, out-of-sequence advisory said the company is investigating reports of the new vulnerability, which could allow remote code execution if a user opens a specially crafted Excel file. This sort of weakness is known as a "zero day" exploit because malicious files have been found in the wild before the developer was aware there was a hole in its code.

According to Microsoft Security Advisory 968272 [1] the vulnerability is present in Excel 2007, Office XP Service Pack 1, Office 2000 and 2009, plus Excel 2004 and Office 2008 Mac software. It also affects the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats.

Further details have been "reserved" on the Common Vulnerabilities and Exploits [2] database while the company investigates.

The Symantec Vulnerabilities & Exploits blog [3] reported discovering the new hacking technique on Tuesday and dubbed it Trojan.Mdropper.AC. "This vulnerability is one that we had not seen before," reported blogger Patrick Fitzgerald.

The vulnerability uses the old Excel binary .xls format rather than Excel 2007's .xlsx format. Opening the infected spreadsheet sets the malicious program off, which then opens a valid Excel document to conceal its presence.The blog advises users to "ensure that your definitions are up-to-date to protect yourself from the danger this issue presents".

UPDATE - 12 March Microsoft's March security bulletin [4] tackled three vulnerabilities, including a potential hole in how the Windows kernel handles certain image files - but not the zero-day Excel vulnerability identified by Symantec. According to Information Week [5] and other news sources, Microsoft is Microsoft testing a patch for the hole in Excel.