The flaw, which the company is currently investigating following initial reports, uses a malicious Excel spreadsheet file to try and access an invalid object. This creates a buffer overflow condition that enables the attacker to potentially execute arbitrary code.
The company says that it has already seen attacks in the wild, although these have been targeted attacks rather than mass attacks designed to compromise a large population. The firm has promised a patch, but hasn't set a date. It hasn't ruled out the possibility of an out-of-band patch should conditions escalate.
In the meantime, it has released a generic signature for inclusion in its two client-side anti-malware products, Forefront Client Security, and Windows Live OneCare.
In a web-based attack, an attacker would lure a victim to a web site and get the to open the malicious spreadsheet after downloading it. It could also be distributed via email. It affects all versions of Excel since Office 2000 (including Office Mac 2008), along with the Excel viewer.
"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights," said the company, further emphasizing the importance of running Windows in least-privilege mode.
Buffer overflows have been a thorn in the Microsoft's side in spite of the secure development lifecycle which it has been pursuing for the past seven years. The company's research team in Silicon Valley is working on a project called XFI on software assurance methods that could enable the company to better predict when a program is going to branch into an address space that it shouldn't.
"The instrumentation of the code on the fly to trap all that stuff," said Roy Levin, the Silicon Valley Lab's managing director, who explained that XFI is designed to work on binaries rather than source code.