Investigating new public reports of Excel vulnerability

I guess, you have seen this but I just want to make sure: Vulnerability in Microsoft Excel Could Allow Remote Code Execution.

I would like to quote two things:

Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. At this time, our initial investigation indicates that customers who are using Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability.

<…>

  • This vulnerability cannot be exploited on Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, or Microsoft Excel 2008 for Mac.
  • Customers who are running Microsoft Office Excel 2003 Service Pack 2 and have deployed Microsoft Office Isolated Conversion Environment (MOICE) are not affected by this vulnerability.

So, there are two things that are important in general from my point of view:

  • We released MOICE in order to fight against attacks through Office file formats – if you are running Office 2003 deploy it!
  • We recently had an internal discussion among security people (all of us are not measured by sales targets J). The question was, what is the most important recommendation we can give a customer. Basically the recommendation is easy (but sometimes hard to fulfill): Stay on the latest versions of all your software to mitigate threats. This is true not "only" for your Microsoft environment but for all your products.

Roger